Local File Inclusion in h2oai/h2o-3
CVE-2023-6038

9.3CRITICAL

Key Information:

Vendor: H2oai
Status: H2oai/h2o-3
Vendor: CVE Published:; 16 November 2023

What is CVE-2023-6038?

A Local File Inclusion vulnerability in the h2o-3 REST API allows unauthenticated attackers to read arbitrary files on the server. This issue arises from improper validation of file paths, enabling exploitation through specific GET or POST requests to the ImportFiles and ParseSetup endpoints. The vulnerability affects installations of h2o-3 without user interaction, posing a significant risk to sensitive server data. Identified in version 3.40.0.4, immediate remediation is recommended to mitigate potential exposure.

Affected Version(s)

h2oai/h2o-3 <= unspecified

References

https://huntr.com/bounties/380fce33-fec5-49d9-a101-12c972...

EPSS Score

63% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 16, 2023
Vulnerability Reserved
Nov 8, 2023

JSON