-
CVE-2024-6433 describes an arbitrary file read vulnerability within the devika application. This flaw allows an attacker to potentially access sensitive data by manipulating the snapshot_path parameter. The vulnerability impacts versions prior to a patch release, and currently, no fixed version is available. Mitigation strategies focus on input validation and access control.
The primary impact of CVE-2024-6433 is the unauthorized disclosure of sensitive files on the system. An attacker can exploit this vulnerability by crafting a malicious request that includes a specially crafted snapshot_path parameter. This parameter directs the application to zip files, but the attacker can control the path, allowing them to specify arbitrary files for reading. The potential data at risk includes configuration files, source code, database credentials, and any other files accessible by the application's user account. Lateral movement is unlikely directly from this vulnerability, but the exposed data could be used to compromise other systems or accounts.
CVE-2024-6433 was publicly disclosed on 2024-07-10. Currently, there are no known public proof-of-concept exploits available. The vulnerability's EPSS score is likely low to medium, given the lack of public exploits and the requirement for specific parameter manipulation. It is not listed on the CISA KEV catalog at the time of this writing.
Organizations deploying devika in environments where user input directly influences file access are at risk. This includes deployments with weak input validation or where the application's user account has excessive permissions. Shared hosting environments where multiple users share the same devika instance are also particularly vulnerable.
• python / server:
grep -r 'snapshot_path=' /path/to/devika/source_code• generic web:
curl -I 'http://your-devika-instance/zip?snapshot_path=../../../../etc/passwd' # Check for 200 OK responsedisclosure
エクスプロイト状況
EPSS
0.41% (61% パーセンタイル)
CISA SSVC
CVSS ベクトル
Due to the absence of a fixed version, immediate mitigation focuses on restricting access and validating user input. Implement strict input validation on the snapshotpath parameter, ensuring it only accepts expected values and paths. Consider using a whitelist of allowed directories instead of a blacklist. Restrict the application's user account to the minimum necessary permissions to prevent access to sensitive files. Implement a Web Application Firewall (WAF) rule to block requests containing suspicious characters or paths in the snapshotpath parameter. Regularly review application logs for any unusual activity related to file access.
Actualice la biblioteca stitionai/devika a una versión parcheada que solucione la vulnerabilidad de inclusión de archivos locales. Asegúrese de validar y sanitizar correctamente las rutas proporcionadas por el usuario antes de utilizarlas para crear archivos ZIP. Evite permitir que los usuarios especifiquen rutas arbitrarias en el sistema de archivos.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-6433 is a vulnerability in devika that allows an attacker to read arbitrary files by manipulating the snapshot_path parameter. It is rated as HIGH severity with a CVSS score of 7.5.
You are affected if you are using devika prior to a patch release. The vulnerability impacts versions before a fix is available.
Currently, there is no fixed version available. Mitigation involves strict input validation on the snapshot_path parameter and restricting the application's user account permissions.
There are currently no known public exploits or confirmed active exploitation campaigns for CVE-2024-6433.
Refer to the devika project's official website or GitHub repository for updates and advisories related to CVE-2024-6433.
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。