CVE-2024-5821
MEDIUMstitionai/devika - Path Traversal via Misspelled File Name Correction
Title source: llmDescription
The vulnerability allows an attacker to access sensitive files on the server by confusing the agent with incorrect file names. When a user requests the content of a file with a misspelled name, the agent attempts to correct the command and inadvertently reveals the content of the intended file, such as /etc/passwd. This can lead to unauthorized access to sensitive information and potential server compromise.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/6b729046-b9e1-4fa2-a0c5-603745a6db6b
Scores
CVSS v3
6.2
EPSS
0.0023
EPSS Percentile
13.4%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
stitionai/stitionai/devika
unspecified - latest
Published
Jul 03, 2024
Tracked Since
Feb 18, 2026