cve-2024-32651
Vulnerability from cvelistv5
Published
2024-04-25 23:49
Modified
2024-08-02 02:13
Severity ?
EPSS score ?
Summary
changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | dgtlmoon | changedetection.io |
Version: <= 0.45.20 |
|
|
|||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:dgtlmoon:changedetection.io:0.45.20:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "changedetection.io",
"vendor": "dgtlmoon",
"versions": [
{
"status": "affected",
"version": "0.45.20"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32651",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-07T19:43:06.358800Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T19:45:58.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:13:40.303Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3"
},
{
"name": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21"
},
{
"name": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "changedetection.io",
"vendor": "dgtlmoon",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.45.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn\u0027t required by the application (not by default and not enforced)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-25T23:49:28.540Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3"
},
{
"name": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21"
},
{
"name": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2"
},
{
"url": "https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/"
}
],
"source": {
"advisory": "GHSA-4r7v-whpg-8rx3",
"discovery": "UNKNOWN"
},
"title": "Server Side Template Injection in Jinja2 allows Remote Command Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32651",
"datePublished": "2024-04-25T23:49:28.540Z",
"dateReserved": "2024-04-16T14:15:26.876Z",
"dateUpdated": "2024-08-02T02:13:40.303Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-32651\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-04-26T00:15:08.550\",\"lastModified\":\"2024-11-21T09:15:23.947\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn\u0027t required by the application (not by default and not enforced).\"},{\"lang\":\"es\",\"value\":\"changetection.io es un servicio de detecci\u00f3n de cambios de p\u00e1ginas web, seguimiento de sitios web, monitor de reabastecimiento y notificaci\u00f3n de c\u00f3digo abierto. Hay una inyecci\u00f3n de plantilla del lado del servidor (SSTI) en Jinja2 que permite la ejecuci\u00f3n remota de comandos en el host del servidor. Los atacantes pueden ejecutar cualquier comando del sistema sin ninguna restricci\u00f3n y podr\u00edan usar un shell inverso. El impacto es cr\u00edtico ya que el atacante puede apoderarse completamente de la m\u00e1quina servidor. Esto se puede reducir si la detecci\u00f3n de cambios est\u00e1 detr\u00e1s de una p\u00e1gina de inicio de sesi\u00f3n, pero la aplicaci\u00f3n no lo requiere (no es de forma predeterminada ni obligatorio).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1336\"}]}],\"references\":[{\"url\":\"https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
ghsa-4r7v-whpg-8rx3
Vulnerability from github
Published
2024-10-15 18:05
Modified
2024-10-15 18:05
Severity ?
Summary
changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution
Details
Summary
A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.
Details
changedetection.io version: 0.45.20
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
dgtlmoon/changedetection.io latest 53529c2e69f1 44 hours ago 423MB
The vulnerability is caused by the usage of vulnerable functions of Jinja2 template engine.
python
from jinja2 import Environment, BaseLoader
...
# Get the notification body from datastore
jinja2_env = Environment(loader=BaseLoader)
n_body = jinja2_env.from_string(n_object.get('notification_body', '')).render(**notification_parameters)
n_title = jinja2_env.from_string(n_object.get('notification_title', '')).render(**notification_parameters)
PoC
- Create/Edit a URL watch item
-
Under Notifications tab insert this payload:
python {{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }} -
See Telegram (or other supported messaging app) notification
Impact
In the PoC I've used id as payload and Telegram to read the result.
Attackers can run any system command without any restriction and they don't need to read the result in the notification app (e.g. they could use a reverse shell).
The impact is critical as the attacker can completely takeover the server host.
This can be reduced if changedetection access is protected by login page with a password, but this isn't required by the application (not by default and not enforced).
References
- https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/
- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti
- https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/
- https://docs.cobalt.io/bestpractices/prevent-ssti/
Credits
Edoardo Ottavianelli
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.45.20"
},
"package": {
"ecosystem": "PyPI",
"name": "changedetection.io"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.45.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-32651"
],
"database_specific": {
"cwe_ids": [
"CWE-1336"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-15T18:05:15Z",
"nvd_published_at": "2024-04-26T00:15:08Z",
"severity": "CRITICAL"
},
"details": "### Summary\nA Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.\n\n### Details\n\nchangedetection.io version: 0.45.20\n```\ndocker images\nREPOSITORY TAG IMAGE ID CREATED SIZE\ndgtlmoon/changedetection.io latest 53529c2e69f1 44 hours ago 423MB\n```\n\nThe vulnerability is caused by the usage of vulnerable functions of Jinja2 template engine.\n```python\nfrom jinja2 import Environment, BaseLoader\n...\n # Get the notification body from datastore\n jinja2_env = Environment(loader=BaseLoader)\n n_body = jinja2_env.from_string(n_object.get(\u0027notification_body\u0027, \u0027\u0027)).render(**notification_parameters)\n n_title = jinja2_env.from_string(n_object.get(\u0027notification_title\u0027, \u0027\u0027)).render(**notification_parameters)\n```\n\n\n### PoC\n1. Create/Edit a URL watch item\n2. Under *Notifications* tab insert this payload: \n```python\n{{ self.__init__.__globals__.__builtins__.__import__(\u0027os\u0027).popen(\u0027id\u0027).read() }}\n```\n\n\n3. See Telegram (or other supported messaging app) notification\n\n\n\n\n### Impact\nIn the PoC I\u0027ve used `id` as payload and Telegram to read the result. \nAttackers can run any system command without any restriction and they don\u0027t need to read the result in the notification app (e.g. they could use a reverse shell).\nThe impact is critical as the attacker can completely takeover the server host.\nThis can be reduced if changedetection access is protected by login page with a password, but this isn\u0027t required by the application (not by default and not enforced).\n\n### References\n- https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/\n- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti\n- https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2/\n- https://docs.cobalt.io/bestpractices/prevent-ssti/\n\n### Credits\n\nEdoardo Ottavianelli",
"id": "GHSA-4r7v-whpg-8rx3",
"modified": "2024-10-15T18:05:15Z",
"published": "2024-10-15T18:05:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32651"
},
{
"type": "WEB",
"url": "https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io"
},
{
"type": "PACKAGE",
"url": "https://github.com/dgtlmoon/changedetection.io"
},
{
"type": "WEB",
"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21"
},
{
"type": "WEB",
"url": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution"
}
gsd-2024-32651
Vulnerability from gsd
Modified
2024-04-17 05:01
Details
changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced).
Aliases
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2024-32651"
],
"details": "changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn\u0027t required by the application (not by default and not enforced).",
"id": "GSD-2024-32651",
"modified": "2024-04-17T05:01:56.777467Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2024-32651",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "changedetection.io",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003c= 0.45.20"
}
]
}
}
]
},
"vendor_name": "dgtlmoon"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn\u0027t required by the application (not by default and not enforced)."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-1336",
"lang": "eng",
"value": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3",
"refsource": "MISC",
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3"
},
{
"name": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21",
"refsource": "MISC",
"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21"
},
{
"name": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2",
"refsource": "MISC",
"url": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2"
}
]
},
"source": {
"advisory": "GHSA-4r7v-whpg-8rx3",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"cve": {
"descriptions": [
{
"lang": "en",
"value": "changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn\u0027t required by the application (not by default and not enforced)."
},
{
"lang": "es",
"value": "changetection.io es un servicio de detecci\u00f3n de cambios de p\u00e1ginas web, seguimiento de sitios web, monitor de reabastecimiento y notificaci\u00f3n de c\u00f3digo abierto. Hay una inyecci\u00f3n de plantilla del lado del servidor (SSTI) en Jinja2 que permite la ejecuci\u00f3n remota de comandos en el host del servidor. Los atacantes pueden ejecutar cualquier comando del sistema sin ninguna restricci\u00f3n y podr\u00edan usar un shell inverso. El impacto es cr\u00edtico ya que el atacante puede apoderarse completamente de la m\u00e1quina servidor. Esto se puede reducir si la detecci\u00f3n de cambios est\u00e1 detr\u00e1s de una p\u00e1gina de inicio de sesi\u00f3n, pero la aplicaci\u00f3n no lo requiere (no es de forma predeterminada ni obligatorio)."
}
],
"id": "CVE-2024-32651",
"lastModified": "2024-04-26T12:58:17.720",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-04-26T00:15:08.550",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3"
},
{
"source": "security-advisories@github.com",
"url": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1336"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.