CVE-2024-51998: changedetection.io path traversal using file URI scheme without supplying hostname
(updated )
The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and ALLOW_FILE_URI false or not defined.
References
- github.com/advisories/GHSA-6jrf-rcjf-245r
- github.com/dgtlmoon/changedetection.io
- github.com/dgtlmoon/changedetection.io/blob/e0abf0b50507a8a3d0c1d8522ab23519b3e4cdf4/changedetectionio/model/Watch.py
- github.com/dgtlmoon/changedetection.io/blob/e0abf0b50507a8a3d0c1d8522ab23519b3e4cdf4/changedetectionio/processors/__init__.py
- github.com/dgtlmoon/changedetection.io/commit/49bc982c697169c98b79698889fb9d26f6b3317f
- github.com/dgtlmoon/changedetection.io/releases/tag/0.47.06
- github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-6jrf-rcjf-245r
- nvd.nist.gov/vuln/detail/CVE-2024-51998
Detect and mitigate CVE-2024-51998 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →