GHSA-6jrf-rcjf-245r

Suggest an improvement
Source
https://github.com/advisories/GHSA-6jrf-rcjf-245r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-6jrf-rcjf-245r/GHSA-6jrf-rcjf-245r.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6jrf-rcjf-245r
Aliases
Published
2024-11-07T22:00:58Z
Modified
2024-11-08T14:21:50.206814Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N CVSS Calculator
Summary
changedetection.io path traversal using file URI scheme without supplying hostname
Details

Summary

The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue only affects instances with a webdriver enabled, and ALLOW_FILE_URI false or not defined.

Details

The check used for URL protocol, is_safe_url, allows file: as a URL scheme:

https://github.com/dgtlmoon/changedetection.io/blob/e0abf0b50507a8a3d0c1d8522ab23519b3e4cdf4/changedetectionio/model/Watch.py#L11-L13

It later checks if local files are permitted, but one of the preconditions for the check is that the URL starts with file://. The issue comes with the fact that the file URI scheme is not required to have double slashes.

A valid file URI must therefore begin with either file:/path (no hostname), file:///path (empty hostname), or file://hostname/path. — Wikipedia

https://github.com/dgtlmoon/changedetection.io/blob/e0abf0b50507a8a3d0c1d8522ab23519b3e4cdf4/changedetectionio/processors/init.py#L37-L41

PoC

  1. Open up a changedetection.io instance with a webdriver configured
  2. Create a new watch: file:/etc/passwd or a similar path for your operating system. Enable webdriver mode
  3. Wait for it to be checked
  4. Open preview
  5. Notice contents of the file
Database specific 
{
    "nvd_published_at": "2024-11-08T00:15:15Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-07T22:00:58Z"
}
References

Affected packages

PyPI / changedetection-io

Package

Name
changedetection-io
View open source insights on deps.dev
Purl
pkg:pypi/changedetection-io

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.47.6

Affected versions

0.*

0.38.2
0.39
0.39.1
0.39.2
0.39.3
0.39.4
0.39.5
0.39.6
0.39.7
0.39.8
0.39.9
0.39.10
0.39.10.post1
0.39.10.post2
0.39.11
0.39.12
0.39.13
0.39.13.1
0.39.14
0.39.14.1
0.39.15
0.39.16
0.39.17
0.39.17.1
0.39.17.2
0.39.18
0.39.19
0.39.19.1
0.39.20
0.39.20.1
0.39.20.2
0.39.20.3
0.39.20.4
0.39.21
0.39.21.1
0.39.22
0.39.22.1
0.40.0
0.40.0.1
0.40.0.2
0.40.0.3
0.40.0.4
0.40.1.0
0.40.1.1
0.40.2
0.40.3
0.41
0.41.1
0.42
0.42.1
0.42.2
0.42.3
0.43.1
0.43.2
0.44
0.44.1
0.45
0.45.1
0.45.2
0.45.3
0.45.4
0.45.5
0.45.6
0.45.7
0.45.7.1
0.45.7.2
0.45.7.3
0.45.8
0.45.8.1
0.45.9
0.45.11
0.45.12
0.45.13
0.45.14
0.45.15
0.45.16
0.45.17
0.45.18
0.45.19
0.45.20
0.45.21
0.45.22
0.45.23
0.45.24
0.45.25
0.45.26
0.46.0
0.46.1
0.46.2
0.46.3
0.46.4
0.47.0
0.47.1
0.47.2
0.47.3
0.47.4
0.47.5

Database specific 

{
    "last_known_affected_version_range": "<= 0.47.5"
}