Scan free
CRITICALCVE-2024-4701CVSS 9.9

CVE-2024-4701: Path Traversal in Genie

Platform

python

Component

genie

Fixed in

4.3.19

AI Confidence: highNVDEPSS 17.6%Reviewed: May 2026
View on NVD
Save

CVE-2024-4701 describes a critical path traversal vulnerability discovered in Genie, a Python-based configuration management tool. This flaw allows attackers to potentially execute arbitrary code on vulnerable systems by manipulating file paths. Versions of Genie prior to 4.3.18 are affected, and a patch has been released in version 4.3.19 to address the issue.

Python

Detect this CVE in your project

Upload your requirements.txt file and we'll tell you instantly if you're affected.

Upload requirements.txtSupported formats: requirements.txt · Pipfile.lock

Impact and Attack Scenarios

The path traversal vulnerability in Genie allows an attacker to bypass intended access controls and read or write files outside of the intended directory. This can lead to a complete compromise of the system, including data exfiltration, modification of configuration files, and the execution of malicious code. Successful exploitation could grant an attacker persistent access and control over the affected system. The potential for remote code execution significantly elevates the risk, as attackers can leverage this vulnerability to install malware, create backdoors, or launch further attacks against other systems on the network. This vulnerability shares similarities with other path traversal exploits where attackers leverage improperly validated user input to navigate the file system.

Exploitation Context

CVE-2024-4701 was publicly disclosed on 2024-05-10. The vulnerability's CVSS score of 9.9 (CRITICAL) indicates a high probability of exploitation. Currently, there are no publicly available proof-of-concept exploits, but the severity of the vulnerability suggests that it is likely to be targeted by attackers. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

17.58% (95% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L9.9CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentgenie
VendorNetflix
Affected rangeFixed in
0 – 4.3.184.3.19

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-4701 is to immediately upgrade Genie to version 4.3.19 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting file access permissions and implementing strict input validation to prevent path manipulation. Employ a Web Application Firewall (WAF) with rules to block requests containing suspicious path traversal patterns (e.g., '../'). Monitor system logs and network traffic for unusual activity, particularly attempts to access files outside of expected directories. Consider using a security scanner to identify potential vulnerabilities in your Genie configuration.

How to fix

Update Genie to version 4.3.19 or later. This update addresses the path traversal vulnerability that allows remote code execution. It is recommended to perform the update as soon as possible to mitigate the risk.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-4701 — Path Traversal in Genie?

CVE-2024-4701 is a critical path traversal vulnerability affecting Genie versions 0–4.3.18, allowing attackers to potentially execute code. It's a serious security risk requiring immediate attention.

Am I affected by CVE-2024-4701 in Genie?

If you are using Genie versions 0.0.0 through 4.3.18, you are affected by this vulnerability. Check your Genie version and upgrade immediately.

How do I fix CVE-2024-4701 in Genie?

The recommended fix is to upgrade Genie to version 4.3.19 or later. If upgrading is not possible, implement temporary workarounds like restricting file access and using a WAF.

Is CVE-2024-4701 being actively exploited?

While no public exploits are currently available, the vulnerability's critical severity suggests it is likely to be targeted. Proactive mitigation is essential.

Where can I find the official Genie advisory for CVE-2024-4701?

Refer to the official Genie project's security advisories and release notes for detailed information and updates regarding CVE-2024-4701.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs