CVE-2024-23329
published 2024-01-19CVE-2024-23329: changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint `/api/v1/watch//history` can…
PriorityP414low3.7CVSS 3.1
AVNACHPRNUINSUCLINAN
EPSS
0.59%
43.6th percentile
changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint `/api/v1/watch//history` can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party first needs to know a watch UUID, and the watch history endpoint itself returns only paths to the snapshot on the server, an impact on users' data privacy is minimal. This issue has been addressed in version 0.45.13. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dgtlmoon | changedetection.io | — | — |
| dgtlmoon | changedetection.io | >= 0.39.14 < 0.45.13 | 0.45.13 |
| webtechnologies | changedetection | >= 0.39.14 < 0.45.13 | 0.45.13 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
changedetection.io API endpoint is not secured with API token
ghsa·2024-01-23
CVE-2024-23329 [LOW] CWE-863 changedetection.io API endpoint is not secured with API token
changedetection.io API endpoint is not secured with API token
### Summary
API endpoint `/api/v1/watch//history` can be accessed by any unauthorized user.
### Details
WatchHistory resource does not have `@auth.check_token` annotation, which means it can be accessed without providing `x-api-key` header.
https://github.com/dgtlmoon/changedetection.io/blob/9510345e01ea8e308c339163d8e8b030ce5ac7f1/changedetectionio/api/api_v1.py#L129-L156
### PoC
1. Get list of watch with `x-api-key`:
```sh
$ curl -H "x-api-key: apikeyhere" http://localhost:5000/api/v1/watch
{"uuid": ...}
```
2. Call for history of snapshots without `x-api-key`. Expected - 401/403 error. Actual - list of snapshots is listed.
```sh
$ curl http://localhost:5000/api/v1/watch/uuid/history
{"timestamp": "/path/to/snapshot.txt
OSV
changedetection.io API endpoint is not secured with API token
osv·2024-01-23
CVE-2024-23329 [LOW] changedetection.io API endpoint is not secured with API token
changedetection.io API endpoint is not secured with API token
### Summary
API endpoint `/api/v1/watch//history` can be accessed by any unauthorized user.
### Details
WatchHistory resource does not have `@auth.check_token` annotation, which means it can be accessed without providing `x-api-key` header.
https://github.com/dgtlmoon/changedetection.io/blob/9510345e01ea8e308c339163d8e8b030ce5ac7f1/changedetectionio/api/api_v1.py#L129-L156
### PoC
1. Get list of watch with `x-api-key`:
```sh
$ curl -H "x-api-key: apikeyhere" http://localhost:5000/api/v1/watch
{"uuid": ...}
```
2. Call for history of snapshots without `x-api-key`. Expected - 401/403 error. Actual - list of snapshots is listed.
```sh
$ curl http://localhost:5000/api/v1/watch/uuid/history
{"timestamp": "/path/to/snapshot.txt
OSV
CVE-2024-23329: changedetection
osv·2024-01-19
CVE-2024-23329 CVE-2024-23329: changedetection
changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint `/api/v1/watch//history` can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party first needs to know a watch UUID, and the watch history endpoint itself returns only paths to the snapshot on the server, an impact on users' data privacy is minimal. This issue has been addressed in version 0.45.13. Users are advised to upgrade. There are no known workarounds for this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/dgtlmoon/changedetection.io/commit/402f1e47e78ecd155b1e90f30cce424ff7763e0fhttps://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-hcvp-2cc7-jrwrhttps://github.com/dgtlmoon/changedetection.io/commit/402f1e47e78ecd155b1e90f30cce424ff7763e0fhttps://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-hcvp-2cc7-jrwr
2024-01-19
Published