{"id":"UBUNTU-CVE-2023-46303","details":"link_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources outside of the document root.","modified":"2026-01-20T18:11:22.712239Z","published":"2023-10-22T18:15:00Z","upstream":["CVE-2023-46303"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-46303"},{"type":"REPORT","url":"https://github.com/0x1717/ssrf-via-img"},{"type":"REPORT","url":"https://github.com/kovidgoyal/calibre/compare/v6.18.1...v6.19.0"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2023-46303"}],"affected":[{"package":{"name":"calibre","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/calibre@2.55.0+dfsg-1ubuntu0.2?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.33.0+dfsg-1build1","2.38.0+dfsg-1","2.45.0+dfsg-1","2.45.0+dfsg-1build1","2.48.0+dfsg-1","2.48.0+dfsg-1build1","2.54.0+dfsg-1","2.55.0+dfsg-1","2.55.0+dfsg-1ubuntu0.2"],"ecosystem_specific":{"binaries":[{"binary_version":"2.55.0+dfsg-1ubuntu0.2","binary_name":"calibre"},{"binary_version":"2.55.0+dfsg-1ubuntu0.2","binary_name":"calibre-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-46303.json"}},{"package":{"name":"calibre","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/calibre@3.21.0+dfsg-1build1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.7.0+dfsg-2","3.7.0+dfsg-2build1","3.12.0+dfsg-1","3.13.0+dfsg-1","3.14.0+dfsg-1","3.15.0.1+dfsg-1","3.16.0+dfsg-1","3.16.0+dfsg-1build1","3.17.0+dfsg-1","3.17.0+dfsg-2","3.18.0+dfsg-1build1","3.19.0+dfsg-1","3.20.0+dfsg-1","3.21.0+dfsg-1","3.21.0+dfsg-1build1"],"ecosystem_specific":{"binaries":[{"binary_version":"3.21.0+dfsg-1build1","binary_name":"calibre"},{"binary_version":"3.21.0+dfsg-1build1","binary_name":"calibre-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-46303.json"}},{"package":{"name":"calibre","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/calibre@4.99.4+dfsg+really4.12.0-1ubuntu1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.46.0+dfsg-1","4.2.0+dfsg-2","4.3.0+dfsg-1","4.3.0+dfsg-2","4.4.0+dfsg-1","4.5.0+dfsg-1","4.5.0+dfsg-2","4.5.0+dfsg-3","4.6.0+dfsg-1","4.7.0+dfsg-1","4.99.3+dfsg-2","4.99.4+dfsg-1","4.99.4+dfsg-1build1","4.99.4+dfsg+really4.10.0+py3-2","4.99.4+dfsg+really4.11.2-1","4.99.4+dfsg+really4.11.2-1build1","4.99.4+dfsg+really4.12.0-1","4.99.4+dfsg+really4.12.0-1build1","4.99.4+dfsg+really4.12.0-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"4.99.4+dfsg+really4.12.0-1ubuntu1","binary_name":"calibre"},{"binary_version":"4.99.4+dfsg+really4.12.0-1ubuntu1","binary_name":"calibre-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-46303.json"}},{"package":{"name":"calibre","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/calibre@5.37.0+dfsg-1build1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["5.25.0+dfsg-2","5.33.2+dfsg-1","5.34.0+dfsg-1","5.35.0+dfsg-1ubuntu2","5.37.0+dfsg-1","5.37.0+dfsg-1build1"],"ecosystem_specific":{"binaries":[{"binary_version":"5.37.0+dfsg-1build1","binary_name":"calibre"},{"binary_version":"5.37.0+dfsg-1build1","binary_name":"calibre-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-46303.json"}},{"package":{"name":"calibre","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/calibre@7.6.0+ds-1build1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.24.0+ds-1","6.29.0+ds-1","7.0.0+ds-1","7.1.0+ds-1","7.1.0+ds-2","7.2.0+ds-1","7.2.0+ds-1build1","7.3.0+ds-1","7.4.0+ds-1","7.5.1+ds-1","7.5.1+ds-2","7.5.1+ds-3","7.6.0+ds-1","7.6.0+ds-1build1"],"ecosystem_specific":{"binaries":[{"binary_version":"7.6.0+ds-1build1","binary_name":"calibre"},{"binary_version":"7.6.0+ds-1build1","binary_name":"calibre-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-46303.json"}},{"package":{"name":"calibre","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/calibre@8.8.0+ds-3build1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["7.26.0+ds-4build1","8.3.0+ds-1","8.4.0+ds-1","8.5.0+ds-1","8.6.0+ds-1","8.7.0+ds-1","8.8.0+ds-2","8.8.0+ds-3","8.8.0+ds-3build1"],"ecosystem_specific":{"binaries":[{"binary_version":"8.8.0+ds-3build1","binary_name":"calibre"},{"binary_version":"8.8.0+ds-3build1","binary_name":"calibre-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-46303.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}