This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Server-Side Template Injection (SSTI) in **changedetection.io** via unsafe Jinja2 functions. π₯ **Consequences**: Allows **Remote Code Execution (RCE)** on the server host. Critical integrity loss!
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: **CWE-1336** (Improper Neutralization of Special Elements used in a Template Engine). The app uses **unsafe Jinja2 features**, allowing attacker-controlled templates to execute system commands.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: **changedetection.io** by **dgtlmoon**. Versions **prior to 0.45.21** (specifically < 0.45.20/0.45.21 range). Check your version immediately!
Q4What can hackers do? (Privileges/Data)
π **Attacker Power**: Full **Remote Command Execution**. Can read/write files, install backdoors, pivot to internal networks. **Complete host compromise** possible.
Q5Is exploitation threshold high? (Auth/Config)
β‘ **Exploitation**: **Low Threshold**. CVSS Vector: **AV:N/AC:L/PR:N/UI:N**. No authentication required! No user interaction needed. Remote attackers can exploit it instantly.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Public Exploits**: **YES**. Multiple PoCs available on GitHub (e.g., `zcrosman/cve-2024-32651`, `s0ck3t-s3c`). Nuclei templates exist. **Wild exploitation risk is HIGH**.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for **changedetection.io** instances. Use Nuclei template `CVE-2024-32651.yaml`. Look for **Jinja2 SSTI** indicators in web forms/URLs. Check version number in footer/about page.
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed**: **YES**. Patch released in **v0.45.21**. See GitHub Release and GHSA-4r7v-whpg-8rx3. **Upgrade immediately** to the latest version.
Q9What if no patch? (Workaround)
π§ **No Patch?**: Isolate the instance behind a **WAF** blocking template injection patterns (`{{`, `{%`, `__class__`). Restrict network access. **Disable** if not critical.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: **CRITICAL**. CVSS Score is **High** (likely 9.8+). Public exploits exist. No auth needed. **Patch NOW** or face immediate compromise.