Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jd2dnLTU3eGotZzc3cs4ABA6Q
changedetection.io Path Traversal
Summary
When a WebDriver is used to fetch files source:file:///etc/passwd can be used to retrieve local system files, where the more traditional file:///etc/passwd gets blocked
Details
The root cause is the payload source:file:///etc/passwdpasses the regex here and also passes the check here where a traditional file:///etc/passwd would get blocked
PoC
CL-ChangeDetection.io Path Travsersal-311024-181039.pdf
Impact
It depends on where the webdriver is deployed but generally this is a high impact vulnerability
Permalink: https://github.com/advisories/GHSA-cwgg-57xj-g77rJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jd2dnLTU3eGotZzc3cs4ABA6Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 days ago
Updated: 5 days ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-cwgg-57xj-g77r, CVE-2024-51483
References:
- https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-cwgg-57xj-g77r
- https://nvd.nist.gov/vuln/detail/CVE-2024-51483
- https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/model/Watch.py#L19
- https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/processors/__init__.py#L35
- https://github.com/user-attachments/files/17591630/CL-ChangeDetection.io.Path.Travsersal-311024-181039.pdf
- https://github.com/advisories/GHSA-cwgg-57xj-g77r
Blast Radius: 1.0
Affected Packages
pypi:changedetection.io
Dependent packages: 0Dependent repositories: 0
Downloads: 10,015 last month
Affected Version Ranges: <= 0.47.4
Fixed in: 0.47.5
All affected versions: 0.38.2, 0.39.1, 0.39.2, 0.39.3, 0.39.4, 0.39.5, 0.39.6, 0.39.7, 0.39.8, 0.39.9, 0.39.10, 0.39.11, 0.39.12, 0.39.13, 0.39.14, 0.39.15, 0.39.16, 0.39.17, 0.39.18, 0.39.19, 0.39.20, 0.39.21, 0.39.22, 0.40.0, 0.40.2, 0.40.3, 0.41.1, 0.42.1, 0.42.2, 0.42.3, 0.43.1, 0.43.2, 0.44.1, 0.45.1, 0.45.2, 0.45.3, 0.45.4, 0.45.5, 0.45.6, 0.45.7, 0.45.8, 0.45.9, 0.45.11, 0.45.12, 0.45.13, 0.45.14, 0.45.15, 0.45.16, 0.45.17, 0.45.18, 0.45.19, 0.45.20, 0.45.21, 0.45.22, 0.45.23, 0.45.24, 0.45.25, 0.45.26, 0.46.0, 0.46.1, 0.46.2, 0.46.3, 0.46.4, 0.47.0, 0.47.1, 0.47.2, 0.47.3, 0.47.4
All unaffected versions: 0.47.5