Platform
python
Component
devika
Fixed in
-
CVE-2024-5547 describes a directory traversal vulnerability found in the /api/download-project-pdf endpoint of the stitionai/devika project. This flaw allows unauthorized access to PDF files stored on the system by manipulating the project_name parameter. The vulnerability impacts the latest version of devika and requires immediate attention due to the potential for sensitive data exposure. Currently, no official fix has been released.
An attacker can exploit this vulnerability to bypass intended directory restrictions and download arbitrary PDF files. This includes potentially accessing sensitive documents, financial records, or proprietary information stored in PDF format. Successful exploitation could lead to data breaches and compromise the confidentiality of the system. The blast radius extends to any files accessible by the web server user, potentially exposing a wide range of data. While no specific precedent is immediately apparent, the impact is comparable to other directory traversal vulnerabilities where attackers gain unauthorized access to files.
This vulnerability was publicly disclosed on 2024-06-27. The EPSS score is currently unknown. No public proof-of-concept (PoC) has been identified as of this writing, but the ease of exploitation suggests a potential for rapid development and deployment of such tools. The vulnerability is tracked by the NVD and CISA.
Exploit Status
EPSS
1.26% (79% percentile)
CISA SSVC
CVSS Vector
Due to the absence of a patch, mitigation focuses on immediate workarounds. Implement strict input validation on the project_name parameter, ensuring it only accepts expected characters and formats. Configure a web application firewall (WAF) to block requests containing suspicious characters or path traversal sequences (e.g., ../). Restrict file system permissions to prevent the web server user from accessing sensitive directories. Consider implementing a proxy server with content filtering capabilities to further restrict access. Regularly monitor access logs for suspicious activity related to the /api/download-project-pdf endpoint. After implementing these mitigations, verify that the endpoint is no longer accessible without proper authentication and authorization.
Actualice la biblioteca devika a la última versión disponible. Esto solucionará la vulnerabilidad de path traversal. Asegúrese de validar y sanitizar correctamente las entradas del usuario, especialmente el parámetro 'project_name', para evitar el acceso no autorizado a archivos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-5547 is a Directory Traversal vulnerability in the stitionai/devika project's /api/download-project-pdf endpoint, allowing attackers to download arbitrary PDF files.
If you are using the latest version of stitionai/devika and have not implemented mitigating controls, you are potentially affected by this vulnerability.
Currently, no official fix is available. Mitigate by implementing strict input validation, WAF rules, and restricting file system permissions.
While no active exploitation has been confirmed, the ease of exploitation suggests a potential for rapid exploitation.
Check the stitionai/devika repository and related communication channels for updates and advisories regarding CVE-2024-5547.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.