CVE-2024-4701: Genie Path Traversal vulnerability via File Uploads
Genie’s API accepts a multipart/form-data file upload which can be saved to a location on disk. However, it takes a user-supplied filename as part of the request and uses this as the filename when writing the file to disk. Since this filename is user-controlled, it is possible for a malicious actor to manipulate the filename in order to break out of the default attachment storage path and perform path traversal.
Using this technique it is possible to write a file with any user specified name and file contents to any location on the file system that the Java process has write access to.
References
- github.com/Netflix/genie
- github.com/Netflix/genie/commit/6bad017d8078c94e80d6c6fe8abd693910bf55cf
- github.com/Netflix/genie/pull/1217
- github.com/Netflix/genie/releases/tag/v4.3.18
- github.com/Netflix/genie/security/advisories/GHSA-wpcv-5jgp-69f3
- github.com/advisories/GHSA-wpcv-5jgp-69f3
- nvd.nist.gov/vuln/detail/CVE-2024-4701
Detect and mitigate CVE-2024-4701 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →