CVE-2024-5548

Name of the Vulnerable Software and Affected Versions stitutionai/devika repository (affected versions not specified)

Description A directory traversal issue exists, specifically within the "/api/download-project" endpoint. Attackers can exploit this by manipulating the project name parameter in a GET request to download arbitrary files from the system. The issue arises due to insufficient input validation in the download project function, allowing attackers to traverse the directory structure and access files outside the intended directory. This could lead to unauthorized access to sensitive files on the server.

Recommendations As a temporary workaround, consider disabling the download project function until a patch is available. Restrict access to the "/api/download-project" endpoint to minimize the risk of exploitation. Avoid using the project name parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.