Platform
python
Component
changedetection-io
Fixed in
0.48.05
CVE-2024-56509 describes a Path Traversal vulnerability discovered in changedetection-io, a Python-based website change detector. This flaw allows attackers to potentially read arbitrary files on the server due to insufficient input validation when constructing file paths. Versions of changedetection-io prior to 0.48.05 are affected. A patch has been released to address this issue.
The vulnerability arises from inadequate sanitization of user-supplied input used to construct file paths within the application. An attacker could craft malicious URLs containing path traversal sequences, such as file:../../../etc/passwd or file: ///etc/passwd, to bypass the weak validation and gain unauthorized access to sensitive files on the server's file system. This could expose configuration files, source code, or other confidential data. The impact is significant as it allows for local file disclosure, potentially leading to further compromise of the system.
CVE-2024-56509 was publicly disclosed on December 27, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept exploits are not widely available, but the nature of path traversal vulnerabilities makes it likely that such exploits will emerge.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade changedetection-io to version 0.48.05 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing stricter input validation on the server-side to sanitize user-provided URLs before they are used to construct file paths. While a full fix requires the upgrade, a temporary workaround could involve restricting access to sensitive files via web server configuration (e.g., .htaccess rules in Apache) to prevent direct access. After upgrading, verify the fix by attempting to access a sensitive file using a path traversal payload (e.g., file:../../../etc/passwd) and confirming that access is denied.
Update changedetection.io to version 0.48.05 or higher. This version contains a fix for the path traversal vulnerability. You can update through the admin panel or by downloading the latest version from the official repository.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-56509 is a Path Traversal vulnerability affecting changedetection-io versions up to 0.48.4, allowing attackers to read local files due to insufficient input validation.
Yes, if you are running changedetection-io version 0.48.4 or earlier, you are vulnerable to this Path Traversal attack.
Upgrade changedetection-io to version 0.48.05 or later to resolve the vulnerability. Implement stricter input validation as a temporary workaround if upgrading is not immediately possible.
There is currently no confirmed evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the changedetection-io project's release notes and security advisories on their GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.