CVE-2024-4701

Name of the Vulnerable Software and Affected Versions Genie versions prior to 4.3.18

Description A path traversal issue exists in Genie that could lead to remote code execution. The issue stems from a vulnerability in the API that accepts file uploads via multipart/form-data. The API uses a user-supplied filename when writing files to disk, allowing a malicious actor to manipulate the filename to perform path traversal. This manipulation could allow writing files with user-specified names and contents to arbitrary locations on the file system where the Java process has write access. Users who do not store file attachments locally are not affected. The issue impacts Genie OSS instances that rely on the filesystem to store file attachments submitted to the application.

Recommendations Upgrade to Genie OSS version 4.3.18.