CVE-2024-5547

Exploit

EPSS 1.26%
Veröffentlicht 27.06.2024 18:15:20
Zuletzt bearbeitet 15.07.2025 15:37:21
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A directory traversal vulnerability exists in the /api/download-project-pdf endpoint of the stitionai/devika repository, affecting the latest version. The vulnerability arises due to insufficient sanitization of the 'project_name' parameter in the download_project_pdf function. Attackers can exploit this flaw by manipulating the 'project_name' parameter in a GET request to traverse the directory structure and download arbitrary PDF files from the system. This issue allows attackers to access sensitive information that could be stored in PDF format outside the intended directory.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Stitionai ≫ Devika Version1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.26%	0.788

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2

Patch

https://huntr.com/bounties/7ea0eb5f-7643-4452-bc93-a225e2090283

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-5547

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-5547

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-5547

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-5547