Platform
python
Component
devika
Fixed in
-
CVE-2024-5548 describes a directory traversal vulnerability found in the stitionai/devika repository. This flaw allows attackers to download arbitrary files from the system by manipulating the 'project_name' parameter in a GET request to the /api/download-project endpoint. The vulnerability impacts all versions of the repository due to inadequate input validation and currently, no official fix is available.
Successful exploitation of CVE-2024-5548 enables an attacker to read any file accessible to the Devika process. This includes potentially sensitive configuration files, source code, or even user data. The impact extends beyond simple information disclosure; an attacker could potentially modify or delete files, leading to denial of service or further compromise of the system. Given the ability to download arbitrary files, the blast radius could be significant, potentially exposing the entire server's file system to unauthorized access. This vulnerability shares characteristics with other directory traversal exploits, where attackers leverage predictable file system structures to bypass access controls.
CVE-2024-5548 was publicly disclosed on 2024-06-27. There is currently no indication of active exploitation campaigns. No Proof-of-Concept (PoC) code has been publicly released as of this writing. The vulnerability is not listed on the CISA KEV catalog. The CVSS score of 7.5 indicates a high probability of exploitation if left unaddressed.
Exploit Status
EPSS
0.89% (75% percentile)
CISA SSVC
CVSS Vector
Since a patch is not currently available, mitigation strategies focus on limiting the potential impact of the vulnerability. Implement strict Web Application Firewall (WAF) rules to filter requests containing suspicious characters or path traversal sequences in the 'project_name' parameter. Restrict access to the /api/download-project endpoint to authorized users and systems only. Employ robust access controls on the file system to limit the files accessible to the Devika process. Regularly review and audit file system permissions. Consider using a proxy server to inspect and sanitize incoming requests before they reach the Devika application. Monitor system logs for unusual file access patterns.
Actualice a la última versión de devika. El commit 6acce21fb08c3d1123ef05df6a33912bf0ee77c2 contiene la solución a la vulnerabilidad. Asegúrese de validar y sanitizar correctamente la entrada 'project_name' para evitar el recorrido de directorios.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-5548 is a directory traversal vulnerability in the stitionai/devika repository, allowing attackers to download arbitrary files by manipulating the project_name parameter. It has a CVSS score of 7.5 (HIGH).
All versions of the stitionai/devika repository are affected by this vulnerability due to insufficient input validation. If you are using Devika, you are potentially at risk.
Currently, no official fix is available. Mitigate by implementing WAF rules, restricting access to the /api/download-project endpoint, and enforcing strict access controls on the file system.
As of now, there is no confirmed evidence of active exploitation campaigns targeting CVE-2024-5548, but the high CVSS score suggests a potential risk.
Refer to the stitionai/devika repository for updates and advisories related to CVE-2024-5548. Check their GitHub repository for announcements.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.