Plattform
python
Komponente
devika
Behoben in
-
CVE-2024-5548 describes a directory traversal vulnerability discovered in the stitionai/devika project. This flaw allows attackers to bypass intended access controls and retrieve arbitrary files from the system. The vulnerability impacts all versions of the project and stems from insufficient input validation within the /api/download-project endpoint. While a fix is not yet available, mitigation strategies focus on input validation and access restrictions.
The primary impact of CVE-2024-5548 is unauthorized access to sensitive files stored on the server. By manipulating the 'project_name' parameter in a GET request to the /api/download-project endpoint, an attacker can traverse the directory structure and download files outside the intended directory. This could expose configuration files, source code, database credentials, or other confidential data. The blast radius is potentially significant, depending on the files accessible and the privileges of the user running the devika application. Successful exploitation could lead to data breaches, system compromise, and further malicious activity.
CVE-2024-5548 was publicly disclosed on 2024-06-27. The vulnerability exists in a publicly accessible Python project, increasing the likelihood of exploitation. No public proof-of-concept (POC) code has been identified as of this writing, but the ease of exploitation makes it a potential target for opportunistic attackers. It is not currently listed on CISA KEV. Monitor security advisories and threat intelligence feeds for updates.
Organizations deploying Devika in environments with inadequate input validation or access controls are at risk. Shared hosting environments where multiple users share the same server are particularly vulnerable, as an attacker could potentially compromise other users' data through this vulnerability. Systems with legacy configurations or those lacking robust security monitoring are also at increased risk.
• linux / server: Monitor access logs for requests to /api/download-project containing suspicious characters like ../ or absolute paths. Use grep to search for these patterns.
grep 'project_name=.*\.\.' /var/log/nginx/access.log• generic web: Use curl to test the endpoint with various payloads containing path traversal sequences.
curl 'http://your-devika-server/api/download-project?project_name=../../../../etc/passwd'• generic web: Examine response headers for unexpected content types or file extensions that indicate unauthorized file access.
• linux / server: Use auditd to monitor access to sensitive files and directories. Create an audit rule to log attempts to access files outside the intended directory.
auditctl -w / -p wa -k devika_traversaldisclosure
Exploit-Status
EPSS
0.89% (75% Perzentil)
CISA SSVC
CVSS-Vektor
Due to the absence of a direct patch (fixedin is unavailable), immediate mitigation focuses on restricting access and validating input. Implement strict input validation on the 'projectname' parameter, ensuring it only contains expected characters and does not include path traversal sequences (e.g., '..'). Consider using a whitelist approach, only allowing specific, known project names. Restrict file access permissions to the devika application user, limiting its ability to read files outside of the intended project directory. Web application firewalls (WAFs) can be configured to detect and block requests containing suspicious path traversal patterns. Regularly review and audit the application's code and configuration to identify and address potential vulnerabilities. After implementing these mitigations, verify functionality by attempting to access files outside the intended directory with various path traversal payloads.
Actualice a la última versión de devika. El commit 6acce21fb08c3d1123ef05df6a33912bf0ee77c2 contiene la solución a la vulnerabilidad. Asegúrese de validar y sanitizar correctamente la entrada 'project_name' para evitar el recorrido de directorios.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-5548 is a directory traversal vulnerability in the stitionai/devika repository, allowing attackers to download arbitrary files by manipulating the project_name parameter. It has a CVSS score of 7.5 (HIGH).
All versions of the stitionai/devika repository are affected by this vulnerability due to insufficient input validation. If you are using Devika, you are potentially at risk.
Currently, no official fix is available. Mitigate by implementing WAF rules, restricting access to the /api/download-project endpoint, and enforcing strict access controls on the file system.
As of now, there is no confirmed evidence of active exploitation campaigns targeting CVE-2024-5548, but the high CVSS score suggests a potential risk.
Refer to the stitionai/devika repository for updates and advisories related to CVE-2024-5548. Check their GitHub repository for announcements.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.