CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
AI Score
Confidence
High
EPSS
Percentile
10.5%
com.netflix.genie: genie-web is vulnerable to Path Traversal. The vulnerability is caused by improper filename validation in the saveAttachments
method within LocalFileSystemAttachmentServiceImpl.java
, due to missing checks to prevent a filename from starting with ..
. An attacker can upload a file to any location on the system, resulting in arbitrary file write and possible remote code execution. This vulnerability is only exploitable when genie is configured to save files locally.