漏洞描述
A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.
CVE-2024-32651: Change Detection - Server Side Template Injection
PoC代码[已公开]
id: CVE-2024-32651
info:
name: Change Detection - Server Side Template Injection
author: edoardottt
severity: critical
description: |
A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.
impact: |
Unauthenticated attackers can execute arbitrary code on the server through Server Side Template Injection.
remediation: |
Update changedetection.io to version 0.45.21 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-32651
- https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3
- https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21
- https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2024-32651
cwe-id: CWE-1336
epss-score: 0.92464
epss-percentile: 0.99719
metadata:
verified: true
max-request: 1
shodan-query: html:"Change Detection"
tags: cve,cve2024,changedetection,ssti,rce,passive,vuln
http:
- method: GET
path:
- "{{RootURL}}/"
redirects: true
max-redirects: 2
extractors:
- type: xpath
name: version
internal: true
xpath:
- "//*[@id=\"right-sticky\"]"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- "Change Detection"
condition: and
- type: dsl
dsl:
- compare_versions(version, '<= 0.45.20')
# digest: 490a00463044022001b207dc9b6bdd5b1593550354828e621e77e0e7b018bcd05d98017f7104a28902202b5afa0236eccb3cb379eb7d9c050f331d883f093217ab55c86e821238b01290:922c64590222798bb761d5b6d8e72950