cbcvebase.
CVE-2024-40422
published 2024-07-24

CVE-2024-40422: The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can…

PriorityP271critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
11.41%
95.5th percentile
The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.

Affected

1 ranges
VendorProductVersion rangeFixed in
stitionaidevika

Detection & IOCsextracted from sources · hover to see the quote

url/api/get-browser-snapshot
path../../../../etc/passwd
commandGET /api/get-browser-snapshot?snapshot_path=../../../../etc/passwd HTTP/1.1
yara
Nuclei template: GET /api/get-browser-snapshot?snapshot_path=../../../../etc/passwd with response body matching regex root:.*:0:0: and Content-Type header application/octet-stream
  • Detect exploitation attempts by monitoring HTTP GET requests to /api/get-browser-snapshot with a snapshot_path parameter containing directory traversal sequences (e.g., ../).
  • Successful exploitation is indicated by a response body matching the regex root:.*:0:0: (Unix /etc/passwd content) and a Content-Type header of application/octet-stream with HTTP 200.
  • Pre-exploitation fingerprinting of Devika instances can be detected by GET /api/data requests whose JSON response body contains the keys models, projects, OPENAI, and OLLAMA.
  • Devika v1 instances exposed on the internet can be discovered via FOFA using the icon hash -1429839495; monitor for scanning activity targeting this fingerprint.
  • The vulnerability requires no authentication (PR:N, UI:N); any unauthenticated GET request to the snapshot endpoint with traversal sequences should be treated as an attack attempt.
  • ·The path traversal payload shown targets Linux/Unix systems (/etc/passwd). The exploit was tested on Windows 11, so Windows-specific traversal paths (e.g., ..\..\..\..\windows\win.ini) may also be viable against Windows-hosted instances.
  • ·The vulnerability affects specifically Devika v1 (cpe:2.3:a:stitionai:devika:1.0). Versions beyond v1 that patch this issue should not be affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.