CVE-2024-32651
Published: 26 April 2024
Summary
CVE-2024-32651 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Hacktivesecurity (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
changedetection.io, an open source web page change detection and notification service, contains a Server Side Template Injection vulnerability in its Jinja2 templating component. The flaw, tracked as CVE-2024-32651 and assigned CWE-1336, permits unauthenticated remote command execution on the underlying host with a CVSS score of 10.0.
An attacker can supply malicious template input to run arbitrary system commands, including establishing reverse shells, resulting in full server compromise. The application does not require authentication by default, although placing the service behind a login page reduces exposure.
A fix is available in release 0.45.21, as noted in the project's GitHub advisory GHSA-4r7v-whpg-8rx3. Public analysis and proof-of-concept material have also been published by multiple researchers.
The EPSS score has remained consistently high, reaching a peak of 0.9261, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2939
Vulnerability details
changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system…
more
command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.