CVE-2024-5926

CRITICAL Year: 2024
CVSS v3 Score
9.1
Critical
Weakness Type
CWE-29
View all →

Vulnerability Description

A path traversal vulnerability in the get-project-files functionality of stitionai/devika allows attackers to read arbitrary files from the filesystem and cause a Denial of Service (DoS). This issue is present in all versions of the application. The vulnerability arises due to insufficient path sanitization for the 'project-name' parameter, enabling attackers to specify paths that traverse the filesystem. By setting 'project-name' to the root directory, an attacker can cause the application to attempt to read the entire filesystem, leading to a DoS condition.

Related Vulnerabilities

CVE-2024-5211

CRITICAL
CVSS:9.1(Critical)

A path traversal vulnerability in mintplex-labs/anything-llm allowed a manager to bypass the `normalizePath()` function, intended to defend against path traversal attacks. This vulnerability enables t...

CWE-292024

CVE-2024-7957

CRITICAL
CVSS:9.1(Critical)

An arbitrary file overwrite vulnerability exists in the ZulipConnector of danswer-ai/danswer, affecting the latest version. The vulnerability arises from the load_credentials method, where user-contro...

CWE-292024

CVE-2024-8537

CRITICAL
CVSS:9.1(Critical)

A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versions. The vulnerability is present in the /delete-workflow endpoint, allowing an attacker to delete ar...

CWE-292024

CVE-2024-8769

CRITICAL
CVSS:9.1(Critical)

A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user...

CWE-292024

CVE-2024-3573

CRITICAL
CVSS:9.3(Critical)

mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_loc...

CWE-292024

CVE-2024-11170

HIGH
CVSS:8.8(High)

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of file paths by the multer middleware. This can lead to arbitrary file write and po...

CWE-292024