ChangeDetection.io SafeXPath3Parser Protection Bypass Vulnerability Allowing Arbitrary File Read

A protection bypass vulnerability has been identified in ChangeDetection.io versions prior to 0.54.7. This vulnerability resides in the SafeXPath3Parser implementation, where attackers can exploit an incomplete blocklist of dangerous XPath 3.0/3.1 functions. By using unblocked functions such as json-doc() and similar file-access primitives, attackers can read arbitrary local files, potentially accessing sensitive data from the local filesystem.

Impact

Exploitation of this vulnerability allows for arbitrary file read access, bypassing intended protections and potentially leading to the disclosure of sensitive information.

Reproduction

The vulnerability can be reproduced by using an unblocked XPath 3.0/3.1 function, such as json-doc(), to access local files. This can be done by crafting an XPath expression that exploits the SafeXPath3Parser's incomplete blocklist of disallowed functions. The accessed file can be any arbitrary file on the local filesystem, such as the ChangeDetection.json file in the datastore directory.

Remediation

Users are advised to update to ChangeDetection.io version 0.54.7 or later, where this vulnerability has been patched.