CVE-2024-5547
📋 TL;DR
A directory traversal vulnerability in the stitionai/devika repository allows attackers to download arbitrary PDF files from the system by manipulating the 'project_name' parameter in API requests. This affects anyone running the vulnerable version of the devika software, potentially exposing sensitive information stored in PDF format.
💻 Affected Systems
- stitionai/devika
📦 What is this software?
Devika by Stitionai
⚠️ Risk & Real-World Impact
Worst Case
Attackers exfiltrate sensitive PDF documents containing credentials, financial data, or confidential business information, leading to data breach and regulatory violations.
Likely Case
Attackers access project-related PDFs or other documents stored in predictable locations, potentially exposing internal information.
If Mitigated
Attackers can only access PDFs within the intended project directory with proper input validation and path restrictions.
🎯 Exploit Status
Simple HTTP GET request manipulation required, no authentication needed based on vulnerability description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version containing commit 6acce21fb08c3d1123ef05df6a33912bf0ee77c2
Vendor Advisory: https://github.com/stitionai/devika/commit/6acce21fb08c3d1123ef05df6a33912bf0ee77c2
Restart Required: Yes
Instructions:
1. Update to latest devika version containing commit 6acce21fb08c3d1123ef05df6a33912bf0ee77c2
2. Restart the devika service
3. Verify the fix by testing the /api/download-project-pdf endpoint
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to reject directory traversal sequences in project_name parameter
# In download_project_pdf function, add:
import os
if '..' in project_name or '/' in project_name or '\\' in project_name:
return 'Invalid project name'
Web Application Firewall Rule
allBlock requests containing directory traversal patterns in URL parameters
# Example WAF rule to block ../ patterns
# ModSecurity: SecRule ARGS "\.\./" "deny,status:403"
🧯 If You Can't Patch
- Restrict network access to the /api/download-project-pdf endpoint using firewall rules
- Implement rate limiting on the vulnerable endpoint to reduce attack surface
🔍 How to Verify
Check if Vulnerable:
Send GET request to /api/download-project-pdf?project_name=../../../etc/passwd and check if system file is returnedCheck Version:
git log --oneline -1 | grep 6acce21fb08c3d1123ef05df6a33912bf0ee77c2Verify Fix Applied:
Test same traversal attempt after patch - should return error or empty response📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /api/download-project-pdf with ../ patterns in parameters
- Unusual PDF file access patterns from web server process
Network Indicators:
- Multiple rapid requests to download-project-pdf endpoint
- Requests with encoded directory traversal sequences (%2e%2e%2f)
SIEM Query:
source="web_server" AND uri_path="/api/download-project-pdf" AND (query_string="*..*" OR query_string="*%2e%2e*")