CVE-2023-2106 - Weak Password Requirements in janeczku/calibre-web Before .6.20 – How Your Library Could Be at Risk

If you use calibre-web to manage your e-books, you might have heard about a recent security issue: CVE-2023-2106. This vulnerability brought to light some seriously weak password requirements in the popular open-source project before version .6.20. In simple terms, it was way too easy for users to set short, simple passwords—leaving personal book libraries wide open to attackers.

In this exclusive long read, we’ll break down exactly what CVE-2023-2106 is, how it works, what versions are affected, how attackers could exploit it, and how you can protect yourself. We’ll even share some code snippets and links for extra reference.

What is CVE-2023-2106?

CVE-2023-2106 is a vulnerability found in the janeczku/calibre-web GitHub repo. Specifically, before version .6.20, calibre-web had weak password requirements, which meant users could set passwords with very little complexity (like “123”, “password”, or even just “a”).

This flaw made it much easier for attackers to guess or brute-force credentials, gaining unauthorized entry into users’ calibre-web instances. With access, attackers could view, change, or delete libraries; download entire collections; or use your server for further attacks.

Details: Where Did the Problem Lie?

Let’s look at the code. Here’s a simplified version of the problematic password check used in versions before .6.20:

# previous versions (before .6.20)
def valid_password(password):
    return len(password) >= 3

This check means any password with 3 or more characters was accepted. There was no enforcement for uppercase, lowercase, numbers, special characters, or even a reasonable minimum length. This let users pick incredibly weak passwords.

Exploit: How Could Attackers Abuse CVE-2023-2106?

Because passwords could be so simple, attackers could try basic or short wordlists to break into accounts. Here’s how an attacker could perform a brute-force attack:

Here’s a basic example with Python and the requests library

import requests

url = 'http://target-calibre-web/login';
username = 'admin'
passwords = ['123', 'abc', 'password', 'user']

for pwd in passwords:
    data = {'username': username, 'password': pwd}
    response = requests.post(url, data=data)
    if 'Dashboard' in response.text:
        print(f'[+] Success! Password is: {pwd}')
        break

With so many users picking “weak by default” passwords, an attacker hardly has to try.

Library Access: Attackers can steal, erase, or replace your ebooks.

- Stepping Stone: If your server is also used for other services, attackers might find other ways to dig deeper.

Fixed! What Did the Patch Change?

In commit f85173e, version .6.20 improved password validation. Instead of a minimum length of just 3, stricter requirements were added.

Here’s a *sample* of the improved check (details may vary)

# Improved in .6.20
import re

def valid_password(password):
    # At least 8 characters, must have uppercase, lowercase, number, special char
    if (len(password) < 8):
        return False
    if not re.search("[a-z]", password):
        return False
    if not re.search("[A-Z]", password):
        return False
    if not re.search("[-9]", password):
        return False
    if not re.search("[^A-Za-z-9]", password):
        return False
    return True

How Do I Protect Myself?

1. Update Now:  
Upgrade to calibre-web .6.20 or later. This plugs the password hole.

2. Change Weak Passwords:  
If you or your users set simple passwords in the past, change them immediately. Use a password manager to pick something long and complex.

3. Don’t Open Calibre-Web to the Internet!  
Keep calibre-web private (VPN or LAN only) whenever possible.

4. Enable 2FA if available.  
While currently calibre-web does not have built-in two-factor authentication, you can protect the host server with external tools (e.g., reverse proxies with 2FA).

References and More Info

- CVE-2023-2106 official NVD entry
- calibre-web GitHub issue tracking the bug
- Release notes for .6.20
- calibre-web commit fixing the bug
- Brute-force attacks explained for beginners

Final Thoughts

CVE-2023-2106 is a textbook example of why weak password requirements aren’t just a bad idea—they’re a recipe for disaster. If you used calibre-web before .6.20, take action today. Security for your home library might sound quaint, but attackers never sleep.

If this was helpful, share with fellow ebook hoarders and stay safe out there!


*Got questions or want to see more security deep-dives like this? Let us know in the comments!*

Timeline

Published on: 04/15/2023 14:15:00 UTC
Last modified on: 04/25/2023 16:29:00 UTC