CVE-2024-51998
📋 TL;DR
This vulnerability in changedetection.io allows attackers to read arbitrary files on the system when webdriver is enabled and ALLOW_FILE_URI is false or undefined. The issue stems from improper validation of file URI schemes that don't require double slashes. Only instances with webdriver enabled are affected.
💻 Affected Systems
- changedetection.io
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through reading sensitive files like /etc/passwd, SSH keys, configuration files, and database credentials, potentially leading to privilege escalation or lateral movement.
Likely Case
Unauthorized reading of sensitive system files containing credentials, configuration data, or other confidential information stored on the server.
If Mitigated
No impact if webdriver is disabled or ALLOW_FILE_URI is explicitly set to true, or if the system is upgraded to the patched version.
🎯 Exploit Status
The vulnerability is straightforward to exploit once an attacker discovers a vulnerable instance. No authentication is required to trigger the file read.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.47.06
Vendor Advisory: https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-6jrf-rcjf-245r
Restart Required: Yes
Instructions:
1. Backup your configuration and data. 2. Stop the changedetection.io service. 3. Update to version 0.47.06 or later using your package manager or installation method. 4. Restart the service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable webdriver
allDisable the webdriver functionality which is required for this vulnerability to be exploitable
Set webdriver_enabled = false in your configuration
Set ALLOW_FILE_URI to true
allExplicitly enable file URI access which bypasses the vulnerable code path
Set ALLOW_FILE_URI = true in your configuration
🧯 If You Can't Patch
- Disable webdriver functionality immediately
- Implement network segmentation to restrict access to the changedetection.io instance
🔍 How to Verify
Check if Vulnerable:
Check if webdriver is enabled AND ALLOW_FILE_URI is false or not defined in your configuration, and version is below 0.47.06Check Version:
Check the application interface or run: docker exec changedetection python -c "import changedetectionio; print(changedetectionio.__version__)"Verify Fix Applied:
Confirm version is 0.47.06 or higher and test that file:// URIs without double slashes are properly rejected📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns
- Requests containing file:// URIs without double slashes
- Webdriver-related errors or access
Network Indicators:
- HTTP requests to file:// URIs
- Unusual outbound connections from the changedetection.io instance
SIEM Query:
source="changedetection.io" AND (uri="file:*" OR user_agent="*webdriver*" OR message="*file://*")🔗 References
- https://github.com/dgtlmoon/changedetection.io/blob/e0abf0b50507a8a3d0c1d8522ab23519b3e4cdf4/changedetectionio/model/Watch.py#L11-L13
- https://github.com/dgtlmoon/changedetection.io/commit/49bc982c697169c98b79698889fb9d26f6b3317f
- https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-6jrf-rcjf-245r
