changedetection.io Environment Variable Disclosure Vulnerability via jq Built-in

A vulnerability in changedetection.io prior to version 0.54.7 allows for the unauthorized disclosure of environment variables. The issue arises from the 'jq:' and 'jqraw:' include filter expressions, which permit the use of the jq 'env' built-in. This built-in reads all process environment variables and includes them in the watch snapshot. An authenticated user, or an unauthenticated user when no password is set (the default), can exploit this vulnerability to access sensitive environment variables such as 'SALTED_PASS', 'PLAYWRIGHT_DRIVER_URL', 'HTTP_PROXY', and any other secrets passed as environment variables to the container.

Impact

Exploitation of this vulnerability leads to the unauthorized disclosure of sensitive environment variables, including authentication hashes, infrastructure credentials, and other confidential information.

Reproduction

To reproduce this vulnerability, create a watch for any JSON endpoint using 'jqraw:env' as the include filter. If no password or API key is set, the default configuration allows for unauthenticated access. Once the watch is checked, all environment variables will be leaked and can be accessed through the web UI or notification messages, if configured.

Remediation

Users can update to changedetection.io version 0.54.7 or later, where this vulnerability has been patched.