CVE-2024-32651
- Source
- https://cve.org/CVERecord?id=CVE-2024-32651
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-32651.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-32651
- Aliases
- Published
- 2024-04-25T23:49:28.540Z
- Modified
- 2026-03-13T14:52:15.562571Z
- Severity
-
- 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Server Side Template Injection in Jinja2 allows Remote Command Execution
- Details
-
changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced).
- Database specific
{ "cwe_ids": [ "CWE-1336" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32651.json" }- References
-
- https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io/
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32651.json
- https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21
- https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3
- https://nvd.nist.gov/vuln/detail/CVE-2024-32651
- https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2
Affected packages
Git / github.com/dgtlmoon/changedetection.io
Affected ranges
- Type
- GIT
- Repo
- https://github.com/dgtlmoon/changedetection.io
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/dgtlmoon/changedetection.io
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.1
0.11
0.12
0.2
0.21
0.22
0.23
0.24
0.25
0.26
0.27
0.28
0.29
0.30
0.31
0.32
0.33
0.34
0.35
0.36
0.37
0.38
0.38.1
0.38.2
0.39
0.39.1
0.39.10
0.39.11
0.39.12
0.39.13
0.39.13.1
0.39.14
0.39.15
0.39.16
0.39.17
0.39.17.1
0.39.17.2
0.39.18
0.39.19
0.39.19.1
0.39.2
0.39.20
0.39.20.1
0.39.20.2
0.39.20.3
0.39.20.4
0.39.21
0.39.21.1
0.39.22
0.39.22.1
0.39.3
0.39.4
0.39.5
0.39.6
0.39.7
0.39.8
0.39.9
0.40.0
0.40.0.2
0.40.0.3
0.40.0.4
0.40.1.0
0.40.1.1
0.40.2
0.40.3
0.41
0.41.1
0.42
0.42.1
0.42.2
0.42.3
0.43
0.43.1
0.43.2
0.44
0.44.1
0.44.2
0.45
0.45.1
0.45.10
0.45.12
0.45.13
0.45.14
0.45.15
0.45.16
0.45.17
0.45.18
0.45.19
0.45.2
0.45.20
0.45.3
0.45.4
0.45.5
0.45.6
0.45.7
0.45.7.1
0.45.7.2
0.45.7.3
0.45.8
0.45.8.1
0.45.9