CVE-2023-6038 Local File Inclusion in h2oai/h2o-3

2023-11-1616:06:43

CWE-862

@huntr_ai

www.cve.org

local file inclusion

h2o-3

rest api

unauthenticated remote attackers

arbitrary files

server permissions

get requests

post requests

importfiles endpoint

parsesetup endpoint

version 3.40.0.4

9.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

0.071 Low

EPSS

Percentile

94.0%

JSON

A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3.

CNA Affected

[
  {
    "vendor": "h2oai",
    "product": "h2oai/h2o-3",
    "versions": [
      {
        "version": "unspecified",
        "status": "affected",
        "versionType": "custom",
        "lessThanOrEqual": "latest"
      }
    ]
  }
]