Cognition Devin before 2024-12-12 provides write access...
High severity
Unreviewed
Published
Dec 16, 2024
to the GitHub Advisory Database
•
Updated Dec 16, 2024
Description
Published by the National Vulnerability Database
Dec 16, 2024
Published to the GitHub Advisory Database
Dec 16, 2024
Last updated
Dec 16, 2024
Cognition Devin before 2024-12-12 provides write access to code by an attacker who discovers the https://vscode-randomly_generated_string.devinapps.com URL (aka the VSCode live share URL) for a specific "Use Devin's Machine" session. For example, this URL may be discovered if a customer posts a screenshot of a Devin session to social media, or publicly streams their Devin session.
References