A directory traversal vulnerability exists in the stitionai/devika repository, specifically within the /api/download-project endpoint. Attackers can exploit this vulnerability by manipulating the 'project_name' parameter in a GET request to download arbitrary files from the system. This issue affects the latest version of the repository. The vulnerability arises due to insufficient input validation in the 'download_project' function, allowing attackers to traverse the directory structure and access files outside the intended directory. This could lead to unauthorized access to sensitive files on the server.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-06-27T17:33:37.825Z
Updated: 2024-08-01T21:18:06.404Z
Reserved: 2024-05-30T19:40:06.214Z
Link: CVE-2024-5548
Vulnrichment
Updated: 2024-08-01T21:18:06.404Z
NVD
Status : Awaiting Analysis
Published: 2024-06-27T18:15:20.733
Modified: 2024-07-12T08:15:11.313
Link: CVE-2024-5548
Redhat
No data.