changedetection.io Path Traversal

GHSA-cwgg-57xj-g77r · CVE-2024-51483

Published Nov 1, 2024 · Modified Nov 1, 2024

Description

Summary

When a WebDriver is used to fetch files source:file:///etc/passwd can be used to retrieve local system files, where the more traditional file:///etc/passwd gets blocked

Details

The root cause is the payload source:file:///etc/passwdpasses the regex here and also passes the check here where a traditional file:///etc/passwd would get blocked

PoC

CL-ChangeDetection.io Path Travsersal-311024-181039.pdf

Impact

It depends on where the webdriver is deployed but generally this is a high impact vulnerability

References

WEB https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-cwgg-57xj-g77r
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-51483
PACKAGE https://github.com/dgtlmoon/changedetection.io
WEB https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/model/Watch.py#L19
WEB https://github.com/dgtlmoon/changedetection.io/blob/master/changedetectionio/processors/__init__.py#L35
WEB https://github.com/user-attachments/files/17591630/CL-ChangeDetection.io.Path.Travsersal-311024-181039.pdf

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes