Vulnerability Description
A directory traversal vulnerability exists in the /api/download-project-pdf endpoint of the stitionai/devika repository, affecting the latest version. The vulnerability arises due to insufficient sanitization of the 'project_name' parameter in the download_project_pdf function. Attackers can exploit this flaw by manipulating the 'project_name' parameter in a GET request to traverse the directory structure and download arbitrary PDF files from the system. This issue allows attackers to access sensitive information that could be stored in PDF format outside the intended directory.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Stitionai | Devika | 1.0 |
Related Weaknesses (CWE)
References
- https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee7Patch
- https://huntr.com/bounties/7ea0eb5f-7643-4452-bc93-a225e2090283ExploitThird Party Advisory
- https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee7Patch
- https://huntr.com/bounties/7ea0eb5f-7643-4452-bc93-a225e2090283ExploitThird Party Advisory
FAQ
What is CVE-2024-5547?
CVE-2024-5547 is a vulnerability with a CVSS score of 7.5 (HIGH). A directory traversal vulnerability exists in the /api/download-project-pdf endpoint of the stitionai/devika repository, affecting the latest version. The vulnerability arises due to insufficient sani...
How severe is CVE-2024-5547?
CVE-2024-5547 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-5547?
Check the references section above for vendor advisories and patch information. Affected products include: Stitionai Devika.