CVE-2024-5548

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-5548
A directory traversal vulnerability exists in the stitionai/devika repository, specifically within the /api/download-project endpoint. Attackers can exploit this vulnerability by manipulating the 'project_name' parameter in a GET request to download arbitrary files from the system. This issue affects the latest version of the repository. The vulnerability arises due to insufficient input validation in the 'download_project' function, allowing attackers to traverse the directory structure and access files outside the intended directory. This could lead to unauthorized access to sensitive files on the server.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2
https://huntr.com/bounties/ad7dd135-8839-4042-87c0-105af61d262c
https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2
https://huntr.com/bounties/ad7dd135-8839-4042-87c0-105af61d262c
Configurations

No configuration.

History

21 Nov 2024, 09:47

Type Values Removed Values Added
References () https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2 - () https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2 -
References () https://huntr.com/bounties/ad7dd135-8839-4042-87c0-105af61d262c - () https://huntr.com/bounties/ad7dd135-8839-4042-87c0-105af61d262c -

12 Jul 2024, 08:15

Type Values Removed Values Added
Summary
  • (es) Path Traversal en el repositorio de GitHub stitionai/devika antes de -.
Summary (en) Path Traversal in GitHub repository stitionai/devika prior to -. (en) A directory traversal vulnerability exists in the stitionai/devika repository, specifically within the /api/download-project endpoint. Attackers can exploit this vulnerability by manipulating the 'project_name' parameter in a GET request to download arbitrary files from the system. This issue affects the latest version of the repository. The vulnerability arises due to insufficient input validation in the 'download_project' function, allowing attackers to traverse the directory structure and access files outside the intended directory. This could lead to unauthorized access to sensitive files on the server.

27 Jun 2024, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-06-27 18:15

Updated : 2024-11-21 09:47

NVD link : CVE-2024-5548

Mitre link : CVE-2024-5548

CVE.ORG link : CVE-2024-5548

JSON object : View

Products Affected

No product.

CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024