Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oY3ZwLTJjYzctanJ3cs4AA4oO
changedetection.io API endpoint is not secured with API token
Summary
API endpoint /api/v1/watch/<uuid>/history can be accessed by any unauthorized user.
Details
WatchHistory resource does not have @auth.check_token annotation, which means it can be accessed without providing x-api-key header.
PoC
- Get list of watch with
x-api-key:
$ curl -H "x-api-key: apikeyhere" http://localhost:5000/api/v1/watch
{"uuid": ...}
- Call for history of snapshots without
x-api-key. Expected - 401/403 error. Actual - list of snapshots is listed.
$ curl http://localhost:5000/api/v1/watch/uuid/history
{"timestamp": "/path/to/snapshot.txt"}
Impact
Anybody can check one's watch history. However, because unauthorized party first needs to know watch UUID, and the watch history endpoint itself returns only paths to the snapshot on the server, an impact on users' data privacy is minimal.
Permalink: https://github.com/advisories/GHSA-hcvp-2cc7-jrwrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oY3ZwLTJjYzctanJ3cs4AA4oO
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 10 months ago
Updated: 2 months ago
CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-hcvp-2cc7-jrwr, CVE-2024-23329
References:
- https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-hcvp-2cc7-jrwr
- https://nvd.nist.gov/vuln/detail/CVE-2024-23329
- https://github.com/dgtlmoon/changedetection.io/commit/402f1e47e78ecd155b1e90f30cce424ff7763e0f
- https://github.com/dgtlmoon/changedetection.io/blob/9510345e01ea8e308c339163d8e8b030ce5ac7f1/changedetectionio/api/api_v1.py#L129-L156
- https://github.com/pypa/advisory-database/tree/main/vulns/changedetection-io/PYSEC-2024-15.yaml
- https://github.com/advisories/GHSA-hcvp-2cc7-jrwr
Blast Radius: 1.0
Affected Packages
pypi:changedetection.io
Dependent packages: 0Dependent repositories: 0
Downloads: 9,471 last month
Affected Version Ranges: >= 0.39.14, <= 0.45.12
Fixed in: 0.45.13
All affected versions: 0.39.14, 0.39.15, 0.39.16, 0.39.17, 0.39.18, 0.39.19, 0.39.20, 0.39.21, 0.39.22, 0.40.0, 0.40.2, 0.40.3, 0.41.1, 0.42.1, 0.42.2, 0.42.3, 0.43.1, 0.43.2, 0.44.1, 0.45.1, 0.45.2, 0.45.3, 0.45.4, 0.45.5, 0.45.6, 0.45.7, 0.45.8, 0.45.9, 0.45.11, 0.45.12
All unaffected versions: 0.38.2, 0.39.1, 0.39.2, 0.39.3, 0.39.4, 0.39.5, 0.39.6, 0.39.7, 0.39.8, 0.39.9, 0.39.10, 0.39.11, 0.39.12, 0.39.13, 0.45.13, 0.45.14, 0.45.15, 0.45.16, 0.45.17, 0.45.18, 0.45.19, 0.45.20, 0.45.21, 0.45.22, 0.45.23, 0.45.24, 0.45.25, 0.45.26, 0.46.0, 0.46.1, 0.46.2, 0.46.3, 0.46.4, 0.47.0, 0.47.1, 0.47.2, 0.47.3, 0.47.4, 0.47.5, 0.47.6