Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jd2dnLTU3eGotZzc3cs4ABA6Q

changedetection.io Path Traversal

Summary

When a WebDriver is used to fetch files source:file:///etc/passwd can be used to retrieve local system files, where the more traditional file:///etc/passwd gets blocked

Details

The root cause is the payload source:file:///etc/passwdpasses the regex here and also passes the check here where a traditional file:///etc/passwd would get blocked

PoC

CL-ChangeDetection.io Path Travsersal-311024-181039.pdf

Impact

It depends on where the webdriver is deployed but generally this is a high impact vulnerability

Permalink: https://github.com/advisories/GHSA-cwgg-57xj-g77r
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jd2dnLTU3eGotZzc3cs4ABA6Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 days ago
Updated: 5 days ago


CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-cwgg-57xj-g77r, CVE-2024-51483
References: Repository: https://github.com/dgtlmoon/changedetection.io
Blast Radius: 1.0

Affected Packages

pypi:changedetection.io
Dependent packages: 0
Dependent repositories: 0
Downloads: 10,015 last month
Affected Version Ranges: <= 0.47.4
Fixed in: 0.47.5
All affected versions: 0.38.2, 0.39.1, 0.39.2, 0.39.3, 0.39.4, 0.39.5, 0.39.6, 0.39.7, 0.39.8, 0.39.9, 0.39.10, 0.39.11, 0.39.12, 0.39.13, 0.39.14, 0.39.15, 0.39.16, 0.39.17, 0.39.18, 0.39.19, 0.39.20, 0.39.21, 0.39.22, 0.40.0, 0.40.2, 0.40.3, 0.41.1, 0.42.1, 0.42.2, 0.42.3, 0.43.1, 0.43.2, 0.44.1, 0.45.1, 0.45.2, 0.45.3, 0.45.4, 0.45.5, 0.45.6, 0.45.7, 0.45.8, 0.45.9, 0.45.11, 0.45.12, 0.45.13, 0.45.14, 0.45.15, 0.45.16, 0.45.17, 0.45.18, 0.45.19, 0.45.20, 0.45.21, 0.45.22, 0.45.23, 0.45.24, 0.45.25, 0.45.26, 0.46.0, 0.46.1, 0.46.2, 0.46.3, 0.46.4, 0.47.0, 0.47.1, 0.47.2, 0.47.3, 0.47.4
All unaffected versions: 0.47.5