9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
7.8 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.5%
com.netflix.genie: genie-web is vulnerable to Path Traversal. The vulnerability is caused by improper filename validation in the saveAttachments
method within LocalFileSystemAttachmentServiceImpl.java
, due to missing checks to prevent a filename from starting with ..
. An attacker can upload a file to any location on the system, resulting in arbitrary file write and possible remote code execution. This vulnerability is only exploitable when genie is configured to save files locally.
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
7.8 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.5%