CVE-2024-40422

The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.
Configurations

Configuration 1 (hide)

cpe:2.3:a:stitionai:devika:1.0:*:*:*:*:*:*:*

History

21 Nov 2024, 09:31

Type Values Removed Values Added
References () https://github.com/alpernae/CVE-2024-40422 - Third Party Advisory () https://github.com/alpernae/CVE-2024-40422 - Third Party Advisory
References () https://github.com/stitionai/devika - Product () https://github.com/stitionai/devika - Product
References () https://github.com/stitionai/devika/pull/619 - Exploit () https://github.com/stitionai/devika/pull/619 - Exploit

16 Aug 2024, 20:35

Type Values Removed Values Added
Summary
  • (es) El parámetro snapshot_path en el endpoint /api/get-browser-snapshot en stitionai devika v1 es susceptible a un ataque de path traversal. Un atacante puede manipular el parámetro snapshot_path para recorrer directorios y acceder a archivos confidenciales en el servidor. Potencialmente, esto puede conducir a un acceso no autorizado a archivos críticos del sistema y comprometer la confidencialidad e integridad del sistema.

25 Jul 2024, 17:42

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.1
CWE CWE-22
First Time Stitionai
Stitionai devika
CPE cpe:2.3:a:stitionai:devika:1.0:*:*:*:*:*:*:*
References () https://github.com/alpernae/CVE-2024-40422 - () https://github.com/alpernae/CVE-2024-40422 - Third Party Advisory
References () https://github.com/stitionai/devika - () https://github.com/stitionai/devika - Product
References () https://github.com/stitionai/devika/pull/619 - () https://github.com/stitionai/devika/pull/619 - Exploit

24 Jul 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-24 16:15

Updated : 2024-11-21 09:31


NVD link : CVE-2024-40422

Mitre link : CVE-2024-40422

CVE.ORG link : CVE-2024-40422


JSON object : View

Products Affected

stitionai

  • devika
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')