CVE-2024-32651: 
Python vulnerability analysis and mitigation

CVE-2024-32651 affects changedetection.io, an open source web page change detection, website watcher, restock monitor and notification service. The vulnerability was discovered and disclosed on April 25, 2024. It involves a Server Side Template Injection (SSTI) vulnerability in Jinja2 that allows Remote Command Execution on the server host (GitHub Advisory).

The vulnerability exists in versions up to 0.45.20 and is caused by unsafe usage of Jinja2 template engine functions. The CVSS v3.1 base score is 10.0 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The vulnerability is classified as CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine) (GitHub Advisory).

The vulnerability allows attackers to run any system command without restriction on the server host. They can execute arbitrary commands and potentially use reverse shells. The impact is critical as attackers can completely take over the server machine. While the risk can be reduced if changedetection access is protected by a login page with a password, this protection is not required by default or enforced (GitHub Advisory).

The vulnerability has been patched in version 0.45.21. Users should upgrade to this version or later to mitigate the risk. As a temporary workaround, users can place the application behind a login page, though this is not a complete solution (GitHub Release).