logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-51998 changedetection-io

Package

Manager: pip
Name: changedetection-io
Vulnerable Version: =0.38.2 || =0.39 || =0.39.1 || =0.39.10 || =0.39.10.post1 || =0.39.10.post2 || =0.39.11 || =0.39.12 || =0.39.13 || =0.39.13.1 || =0.39.14 || =0.39.14.1 || =0.39.15 || =0.39.16 || =0.39.17 || =0.39.17.1 || =0.39.17.2 || =0.39.18 || =0.39.19 || =0.39.19.1 || =0.39.2 || =0.39.20 || =0.39.20.1 || =0.39.20.2 || =0.39.20.3 || =0.39.20.4 || =0.39.21 || =0.39.21.1 || =0.39.22 || =0.39.22.1 || =0.39.3 || =0.39.4 || =0.39.5 || =0.39.6 || =0.39.7 || =0.39.8 || =0.39.9 || =0.40.0 || =0.40.0.1 || =0.40.0.2 || =0.40.0.3 || =0.40.0.4 || =0.40.1.0 || =0.40.1.1 || =0.40.2 || =0.40.3 || =0.41 || =0.41.1 || =0.42 || =0.42.1 || =0.42.2 || =0.42.3 || =0.43.1 || =0.43.2 || =0.44 || =0.44.1 || =0.45 || =0.45.1 || =0.45.11 || =0.45.12 || =0.45.13 || =0.45.14 || =0.45.15 || =0.45.16 || =0.45.17 || =0.45.18 || =0.45.19 || =0.45.2 || =0.45.20 || =0.45.21 || =0.45.22 || =0.45.23 || =0.45.24 || =0.45.25 || =0.45.26 || =0.45.3 || =0.45.4 || =0.45.5 || =0.45.6 || =0.45.7 || =0.45.7.1 || =0.45.7.2 || =0.45.7.3 || =0.45.8 || =0.45.8.1 || =0.45.9 || =0.46.0 || =0.46.1 || =0.46.2 || =0.46.3 || =0.46.4 || =0.47.0 || =0.47.1 || =0.47.2 || =0.47.3 || =0.47.4 || =0.47.5 || >=0 <0.47.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS: 0.00078 pctl0.24078

Details

changedetection.io path traversal using file URI scheme without supplying hostname ### Summary The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and `ALLOW_FILE_URI` false or not defined. ### Details The check used for URL protocol, `is_safe_url`, allows `file:` as a URL scheme: https://github.com/dgtlmoon/changedetection.io/blob/e0abf0b50507a8a3d0c1d8522ab23519b3e4cdf4/changedetectionio/model/Watch.py#L11-L13 It later checks if local files are permitted, but one of the preconditions for the check is that the URL starts with `file://`. The issue comes with the fact that the file URI scheme is not required to have double slashes. > A valid file URI must therefore begin with either `file:/path` (no hostname), `file:///path` (empty hostname), or `file://hostname/path`. > — [Wikipedia](https://en.wikipedia.org/wiki/File_URI_scheme#Number_of_slash_characters) https://github.com/dgtlmoon/changedetection.io/blob/e0abf0b50507a8a3d0c1d8522ab23519b3e4cdf4/changedetectionio/processors/__init__.py#L37-L41 ### PoC 1. Open up a changedetection.io instance with a webdriver configured 2. Create a new watch: `file:/etc/passwd` or a similar path for your operating system. Enable webdriver mode 3. Wait for it to be checked 4. Open preview 5. Notice contents of the file

Metadata

Created: 2024-11-07T22:00:58Z
Modified: 2024-11-08T14:08:10.064612Z
Source: https://osv-vulnerabilities
CWE IDs: ["CWE-22"]
Alternative ID: N/A
Finding: F063
Auto approve: 1