CVE-2024-7009: 
NixOS vulnerability analysis and mitigation

Calibre versions 7.15.0 and earlier contain an SQL injection vulnerability that affects users with permissions to perform full-text searches. The vulnerability was discovered in July 2024 and assigned identifier CVE-2024-7009. The issue affects the Calibre content server feature, specifically impacting the full-text search functionality (STAR Labs Advisory, NVD).

The vulnerability exists due to unsanitized user input in the highlightstart and highlightend parameters of the /fts/snippets/{book_ids} endpoint. These parameters are directly incorporated into SQL queries without proper sanitization, allowing for SQL injection attacks. The issue has received a CVSS v3.1 Base Score of 7.1 (HIGH) from NIST and 4.2 (MEDIUM) from STAR Labs, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N (NVD, STAR Labs Advisory).

An attacker with privileges to perform full-text searches can exploit this vulnerability to inject arbitrary SQL code into search queries. This could lead to unauthorized access to sensitive information from any SQLite databases on the server's filesystem, including authentication credentials stored in the server-users.sqlite file. Additionally, the vulnerability allows for limited file writes to the filesystem, potentially enabling the creation of malicious files (STAR Labs Advisory).

The vulnerability has been patched in version 7.16.0. The fix involves properly sanitizing the highlightstart and highlightend parameters before using them in query strings. For earlier versions, it is recommended to implement parameterized queries where possible (Calibre Patch, STAR Labs Advisory).