Plattform
python
Komponente
devika
Behoben in
-
CVE-2024-5547 describes a directory traversal vulnerability discovered in the stitionai/devika project, specifically within the /api/download-project-pdf endpoint. This flaw allows unauthorized access to PDF files stored on the system by manipulating the project_name parameter. The vulnerability impacts the latest version of devika and requires immediate attention due to the potential for sensitive data exposure. Currently, no official fix has been released.
Successful exploitation of CVE-2024-5547 allows an attacker to bypass intended directory restrictions and download arbitrary PDF files. This could expose sensitive data contained within those files, such as confidential documents, financial records, or proprietary information. The potential impact extends beyond simple data exposure; an attacker could potentially use this vulnerability to gain a deeper understanding of the system's file structure and identify other potential vulnerabilities. While the initial access point is limited to the /api/download-project-pdf endpoint, the ability to download arbitrary files could facilitate further reconnaissance and lateral movement within the affected environment.
CVE-2024-5547 was publicly disclosed on 2024-06-27. There is no indication of this vulnerability being actively exploited in the wild or listed on CISA KEV. Public proof-of-concept exploits are currently unknown, but the ease of exploitation inherent in directory traversal vulnerabilities suggests a potential for rapid development and dissemination of such exploits. The vulnerability's simplicity makes it a likely target for automated scanning and exploitation tools.
Organizations utilizing the stitionai/devika project, particularly those deploying it in production environments without proper security hardening, are at risk. Shared hosting environments where multiple users share the same server are also particularly vulnerable, as an attacker could potentially access PDF files belonging to other users.
• linux / server:
journalctl -u devika -f | grep "download_project_pdf"• generic web:
curl -I 'http://your-devika-server/api/download-project-pdf?project_name=../../../../etc/passwd' | grep 'HTTP/1.1' # Check for 403 or 200 OKdisclosure
Exploit-Status
EPSS
1.26% (79% Perzentil)
CISA SSVC
CVSS-Vektor
Due to the absence of a direct patch, mitigation strategies focus on limiting the vulnerability's impact. The primary mitigation is to implement robust input validation on the project_name parameter within the /api/download-project-pdf endpoint. This should include strict whitelisting of allowed characters and regular expression-based validation to prevent directory traversal sequences (e.g., ../). Additionally, implement strict access controls to restrict access to the directory containing the PDF files. Consider deploying a Web Application Firewall (WAF) with rules to detect and block requests containing suspicious directory traversal patterns. Regularly review and audit the application's code for similar vulnerabilities.
Actualice la biblioteca devika a la última versión disponible. Esto solucionará la vulnerabilidad de path traversal. Asegúrese de validar y sanitizar correctamente las entradas del usuario, especialmente el parámetro 'project_name', para evitar el acceso no autorizado a archivos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-5547 is a Directory Traversal vulnerability in the stitionai/devika project's /api/download-project-pdf endpoint, allowing attackers to download arbitrary PDF files.
If you are using the latest version of stitionai/devika and have not implemented mitigating controls, you are potentially affected by this vulnerability.
Currently, no official fix is available. Mitigate by implementing strict input validation, WAF rules, and restricting file system permissions.
While no active exploitation has been confirmed, the ease of exploitation suggests a potential for rapid exploitation.
Check the stitionai/devika repository and related communication channels for updates and advisories regarding CVE-2024-5547.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.