CVE-2024-32651 - Vulnerability Details - OpenCVE

changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.92464.

Exploitation poc

Automatable yes

Technical Impact total

Vendors	Products
Dgtlmoon	Changedetection.io

No data.

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/
https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21
https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3
https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-25T23:49:28.540Z

Updated: 2025-02-13T17:52:14.004Z

Reserved: 2024-04-16T14:15:26.876Z

Link: CVE-2024-32651

Vulnrichment

Updated: 2024-08-02T02:13:40.303Z

NVD

Status : Awaiting Analysis

Published: 2024-04-26T00:15:08.550

Modified: 2024-11-21T09:15:23.947

Link: CVE-2024-32651

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-32651", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-04-16T14:15:26.876Z", "datePublished": "2024-04-25T23:49:28.540Z", "dateUpdated": "2025-02-13T17:52:14.004Z"}, "containers": {"cna": {"title": "Server Side Template Injection in Jinja2 allows Remote Command Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3"}, {"name": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21", "tags": ["x_refsource_MISC"], "url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21"}, {"name": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2", "tags": ["x_refsource_MISC"], "url": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2"}, {"url": "https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/"}], "affected": [{"vendor": "dgtlmoon", "product": "changedetection.io", "versions": [{"version": "<= 0.45.20", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-07T17:06:59.504Z"}, "descriptions": [{"lang": "en", "value": "changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced)."}], "source": {"advisory": "GHSA-4r7v-whpg-8rx3", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "dgtlmoon", "product": "changedetection.io", "cpes": ["cpe:2.3:a:dgtlmoon:changedetection.io:0.45.20:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0.45.20", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-07T19:43:06.358800Z", "id": "CVE-2024-32651", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T19:45:58.632Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:13:40.303Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3"}, {"name": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21"}, {"name": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2"}, {"url": "https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3", "name": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21", "name": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2", "name": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:13:40.303Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-32651", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-07T19:43:06.358800Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:dgtlmoon:changedetection.io:0.45.20:*:*:*:*:*:*:*"], "vendor": "dgtlmoon", "product": "changedetection.io", "versions": [{"status": "affected", "version": "0.45.20"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T19:45:52.931Z"}}], "cna": {"title": "Server Side Template Injection in Jinja2 allows Remote Command Execution", "source": {"advisory": "GHSA-4r7v-whpg-8rx3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dgtlmoon", "product": "changedetection.io", "versions": [{"status": "affected", "version": "<= 0.45.20"}]}], "references": [{"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3", "name": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21", "name": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21", "tags": ["x_refsource_MISC"]}, {"url": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2", "name": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2", "tags": ["x_refsource_MISC"]}, {"url": "https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/"}], "descriptions": [{"lang": "en", "value": "changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-07T17:06:59.504Z"}}}, "cveMetadata": {"cveId": "CVE-2024-32651", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:52:14.004Z", "dateReserved": "2024-04-16T14:15:26.876Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-04-25T23:49:28.540Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced)."}, {"lang": "es", "value": "changetection.io es un servicio de detecci\u00f3n de cambios de p\u00e1ginas web, seguimiento de sitios web, monitor de reabastecimiento y notificaci\u00f3n de c\u00f3digo abierto. Hay una inyecci\u00f3n de plantilla del lado del servidor (SSTI) en Jinja2 que permite la ejecuci\u00f3n remota de comandos en el host del servidor. Los atacantes pueden ejecutar cualquier comando del sistema sin ninguna restricci\u00f3n y podr\u00edan usar un shell inverso. El impacto es cr\u00edtico ya que el atacante puede apoderarse completamente de la m\u00e1quina servidor. Esto se puede reducir si la detecci\u00f3n de cambios est\u00e1 detr\u00e1s de una p\u00e1gina de inicio de sesi\u00f3n, pero la aplicaci\u00f3n no lo requiere (no es de forma predeterminada ni obligatorio)."}], "id": "CVE-2024-32651", "lastModified": "2024-11-21T09:15:23.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-04-26T00:15:08.550", "references": [{"source": "security-advisories@github.com", "url": "https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/"}, {"source": "security-advisories@github.com", "url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21"}, {"source": "security-advisories@github.com", "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3"}, {"source": "security-advisories@github.com", "url": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Secondary"}]}