CVE-2021-3987: 
Python vulnerability analysis and mitigation

An improper access control vulnerability (CVE-2021-3987) exists in janeczku/calibre-web that allows users without public shelf permissions to create public shelves. The vulnerability was discovered and disclosed on November 15, 2024, affecting versions up to (excluding) 0.6.15. The issue stems from the create_shelf method in shelf.py not verifying if the user has the necessary permissions to create a public shelf (NVD, Huntr).

The vulnerability exists in the create_shelf method within shelf.py, which fails to validate user permissions before allowing the creation of public shelves. The CVSS v3.1 base score is 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N according to NVD, while Huntr.dev assessed it with a score of 5.4 (MEDIUM) and vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD).

This vulnerability allows unauthorized users to perform actions beyond their assigned permissions by creating public shelves despite lacking the necessary privileges. This can lead to unauthorized actions being performed by users who should not have such capabilities (NVD, Huntr).

The vulnerability has been fixed in version 0.6.15 of calibre-web through a patch that adds proper permission validation checks before allowing the creation of public shelves. The fix was implemented in commit bcdc97641447965af486964537f3821f47b28874 (Github Patch).