GHSA-cwgg-57xj-g77r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cwgg-57xj-g77r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-cwgg-57xj-g77r/GHSA-cwgg-57xj-g77r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-cwgg-57xj-g77r
- Aliases
- Published
- 2024-11-01T21:39:13Z
- Modified
- 2024-11-01T22:12:21.409900Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- changedetection.io Path Traversal
- Details
-
Summary
When a WebDriver is used to fetch files source:file:///etc/passwd can be used to retrieve local system files, where the more traditional file:///etc/passwd gets blocked
Details
The root cause is the payload source:file:///etc/passwdpasses the regex here and also passes the check here where a traditional file:///etc/passwd would get blocked
PoC
CL-ChangeDetection.io Path Travsersal-311024-181039.pdf
Impact
It depends on where the webdriver is deployed but generally this is a high impact vulnerability
- Database specific
{ "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2024-11-01T21:39:13Z", "severity": "MODERATE", "nvd_published_at": "2024-11-01T17:15:18Z" }- References
-
- https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-cwgg-57xj-g77r
- https://nvd.nist.gov/vuln/detail/CVE-2024-51483
- https://github.com/dgtlmoon/changedetection.io
- https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/model/Watch.py#L19
- https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/processors/__init__.py#L35
- https://github.com/user-attachments/files/17591630/CL-ChangeDetection.io.Path.Travsersal-311024-181039.pdf
Affected packages
PyPI / changedetection-io
Package
- Name
- changedetection-io
- View open source insights on deps.dev
- Purl
- pkg:pypi/changedetection-io
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.47.5
Affected versions
0.*
0.38.2
0.39
0.39.1
0.39.2
0.39.3
0.39.4
0.39.5
0.39.6
0.39.7
0.39.8
0.39.9
0.39.10
0.39.10.post1
0.39.10.post2
0.39.11
0.39.12
0.39.13
0.39.13.1
0.39.14
0.39.14.1
0.39.15
0.39.16
0.39.17
0.39.17.1
0.39.17.2
0.39.18
0.39.19
0.39.19.1
0.39.20
0.39.20.1
0.39.20.2
0.39.20.3
0.39.20.4
0.39.21
0.39.21.1
0.39.22
0.39.22.1
0.40.0
0.40.0.1
0.40.0.2
0.40.0.3
0.40.0.4
0.40.1.0
0.40.1.1
0.40.2
0.40.3
0.41
0.41.1
0.42
0.42.1
0.42.2
0.42.3
0.43.1
0.43.2
0.44
0.44.1
0.45
0.45.1
0.45.2
0.45.3
0.45.4
0.45.5
0.45.6
0.45.7
0.45.7.1
0.45.7.2
0.45.7.3
0.45.8
0.45.8.1
0.45.9
0.45.11
0.45.12
0.45.13
0.45.14
0.45.15
0.45.16
0.45.17
0.45.18
0.45.19
0.45.20
0.45.21
0.45.22
0.45.23
0.45.24
0.45.25
0.45.26
0.46.0
0.46.1
0.46.2
0.46.3
0.46.4
0.47.0
0.47.1
0.47.2
0.47.3
0.47.4