CVE-2024-32651
published 2024-04-26CVE-2024-32651: changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template…
PriorityP185critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
83.72%
99.7th percentile
changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dgtlmoon | changedetection.io | <= 0.45.20 | — |
| dgtlmoon | changedetection.io | >= 0 < 0.45.21 | 0.45.21 |
Detection & IOCsextracted from sources · hover to see the quote
othercompare_versions(version, '<= 0.45.20')
otherhtml:"Change Detection"
sigma
Nuclei Template CVE-2024-32651: GET {{RootURL}}/ with xpath extractor on //*[@id="right-sticky"], match body word 'Change Detection', status 200, version <= 0.45.20- →Vulnerable versions of changedetection.io are 0.45.20 and below; upgrade to 0.45.21 or later to remediate the SSTI RCE.
- →Identify exposed changedetection.io instances via Shodan using the query html:"Change Detection" as a pre-exploitation reconnaissance indicator.
- →The SSTI payload is injected via Jinja2 unsafe functions; monitor for template injection patterns (e.g., {{...}} or {%...%} in user-controlled inputs) reaching the changedetection.io application. ↗
- →Attackers can leverage the SSTI to spawn a reverse shell; monitor for unexpected outbound connections and shell process spawning from the changedetection.io process. ↗
- →The vulnerability is exploitable without authentication by default; prioritize detection on internet-facing changedetection.io deployments not protected by a login page. ↗
- →Detection probe: HTTP GET to the root path '/' of a changedetection.io instance; presence of 'Change Detection' in the response body combined with version <= 0.45.20 (extracted from XPath //*[@id="right-sticky"]) confirms a vulnerable target.
- ·The EPSS score is extremely high (0.92455, 99.73rd percentile), indicating this vulnerability is very likely being actively exploited in the wild; treat as high-priority.
- ·The vulnerability has a CVSS score of 10 (maximum) with network attack vector, no privileges required, and no user interaction; scope is changed with high impact on confidentiality, integrity, and availability.
- ·Authentication is not enforced by default in changedetection.io; placing the application behind a login page reduces but does not eliminate risk. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution
osv·2024-10-15
CVE-2024-32651 [CRITICAL] changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution
changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution
### Summary
A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.
### Details
changedetection.io version: 0.45.20
```
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
dgtlmoon/changedetection.io latest 53529c2e69f1 44 hours ago 423MB
```
The vulnerability is caused by the usage of vulnerable functions of Jinja2 template engine.
```python
from jinja2 import Environment, BaseLoader
...
# Get the notification body from datastore
jinja2_env = Environment(loader=BaseLoader)
n_body = jinja2_env.from_string(n_object.get('notification_body', '')).render(**notification_parameters)
n_title =
GHSA
changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution
ghsa·2024-10-15
CVE-2024-32651 [CRITICAL] CWE-1336 changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution
changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution
### Summary
A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.
### Details
changedetection.io version: 0.45.20
```
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
dgtlmoon/changedetection.io latest 53529c2e69f1 44 hours ago 423MB
```
The vulnerability is caused by the usage of vulnerable functions of Jinja2 template engine.
```python
from jinja2 import Environment, BaseLoader
...
# Get the notification body from datastore
jinja2_env = Environment(loader=BaseLoader)
n_body = jinja2_env.from_string(n_object.get('notification_body', '')).render(**notification_parameters)
n_title =
No detection rules found.
Nuclei
Change Detection - Server Side Template Injection
nuclei·CVSS 10.0
CVE-2024-32651 [CRITICAL] Change Detection - Server Side Template Injection
Change Detection - Server Side Template Injection
A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.
Template:
id: CVE-2024-32651
info:
name: Change Detection - Server Side Template Injection
author: edoardottt
severity: critical
description: |
A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on the server host.
impact: |
Unauthenticated attackers can execute arbitrary code on the server through Server Side Template Injection.
remediation: |
Update changedetection.io to version 0.45.21 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-32651
- https://github.com/dgtlmoon/changedetection.io
No writeups or analysis indexed.
https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2
2024-04-26
Published