CVE-2024-23329 – changedetection.io

Package

Manager: pip
Name: changedetection.io
Vulnerable Version: >=0.39.14 <0.45.13

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

EPSS: 0.00345 pctl0.56376

Details

changedetection.io API endpoint is not secured with API token ### Summary API endpoint `/api/v1/watch/<uuid>/history` can be accessed by any unauthorized user. ### Details WatchHistory resource does not have `@auth.check_token` annotation, which means it can be accessed without providing `x-api-key` header. https://github.com/dgtlmoon/changedetection.io/blob/9510345e01ea8e308c339163d8e8b030ce5ac7f1/changedetectionio/api/api_v1.py#L129-L156 ### PoC 1. Get list of watch with `x-api-key`: ```sh $ curl -H "x-api-key: apikeyhere" http://localhost:5000/api/v1/watch {"uuid": ...} ``` 2. Call for history of snapshots without `x-api-key`. Expected - 401/403 error. Actual - list of snapshots is listed. ```sh $ curl http://localhost:5000/api/v1/watch/uuid/history {"timestamp": "/path/to/snapshot.txt"} ``` ### Impact Anybody can check one's watch history. However, because unauthorized party first needs to know watch UUID, and the watch history endpoint itself returns only paths to the snapshot on the server, an impact on users' data privacy is minimal.

Metadata

Created: 2024-01-23T12:50:59Z
Modified: 2024-09-13T17:38:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-hcvp-2cc7-jrwr/GHSA-hcvp-2cc7-jrwr.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-hcvp-2cc7-jrwr
Finding: F006
Auto approve: 1