Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-hcvp-2cc7-jrwr: changedetection.io API endpoint is not secured with API token

Summary

API endpoint /api/v1/watch/<uuid>/history can be accessed by any unauthorized user.

Details

WatchHistory resource does not have @auth.check_token annotation, which means it can be accessed without providing x-api-key header.

https://github.com/dgtlmoon/changedetection.io/blob/9510345e01ea8e308c339163d8e8b030ce5ac7f1/changedetectionio/api/api_v1.py#L129-L156

PoC

  1. Get list of watch with x-api-key:
$ curl -H "x-api-key: apikeyhere" http://localhost:5000/api/v1/watch
{"uuid": ...}
  1. Call for history of snapshots without x-api-key. Expected - 401/403 error. Actual - list of snapshots is listed.
$ curl http://localhost:5000/api/v1/watch/uuid/history
{"timestamp": "/path/to/snapshot.txt"}

Impact

Anybody can check one’s watch history. However, because unauthorized party first needs to know watch UUID, and the watch history endpoint itself returns only paths to the snapshot on the server, an impact on users’ data privacy is minimal.

ghsa
Open in Source
#vulnerability#git#auth

Package

pip changedetection.io (pip)

Affected versions

>= 0.39.14, <= 0.45.12

Patched versions

0.45.13

Description

Summary

API endpoint /api/v1/watch/<uuid>/history can be accessed by any unauthorized user.

Details

WatchHistory resource does not have @auth.check_token annotation, which means it can be accessed without providing x-api-key header.

https://github.com/dgtlmoon/changedetection.io/blob/9510345e01ea8e308c339163d8e8b030ce5ac7f1/changedetectionio/api/api_v1.py#L129-L156

PoC

  1. Get list of watch with x-api-key:

$ curl -H “x-api-key: apikeyhere” http://localhost:5000/api/v1/watch {"uuid": …}

  1. Call for history of snapshots without x-api-key. Expected - 401/403 error. Actual - list of snapshots is listed.

$ curl http://localhost:5000/api/v1/watch/uuid/history {"timestamp": "/path/to/snapshot.txt"}

Impact

Anybody can check one’s watch history. However, because unauthorized party first needs to know watch UUID, and the watch history endpoint itself returns only paths to the snapshot on the server, an impact on users’ data privacy is minimal.

References

  • GHSA-hcvp-2cc7-jrwr
  • https://nvd.nist.gov/vuln/detail/CVE-2024-23329
  • dgtlmoon/changedetection.io@402f1e4
  • https://github.com/dgtlmoon/changedetection.io/blob/9510345e01ea8e308c339163d8e8b030ce5ac7f1/changedetectionio/api/api_v1.py#L129-L156

dgtlmoon published to dgtlmoon/changedetection.io

Jan 19, 2024

Published by the National Vulnerability Database

Jan 19, 2024

Published to the GitHub Advisory Database

Jan 23, 2024

Reviewed

Jan 23, 2024

ghsa: Latest News

GHSA-w7qr-q9fh-fj35: Dozzle uses unsafe hash for passwords
ghsa