Lucene search

@huntr_aiCVELIST:CVE-2024-1456

HistoryApr 16, 2024 - 12:00 a.m.

CVE-2024-1456 S3 Bucket Takeover in h2oai/h2o-3

2024-04-1600:00:13

CWE-840

@huntr_ai

www.cve.org

cve-2024-1456

s3 bucket takeover

h2oai/h2o-3

unauthorized takeover

s3 bucket vulnerability

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

An S3 bucket takeover vulnerability was identified in the h2oai/h2o-3 repository. The issue involves the S3 bucket ‘http://s3.amazonaws.com/h2o-training’, which was found to be vulnerable to unauthorized takeover.

CNA Affected

[
  {
    "vendor": "h2oai",
    "product": "h2oai/h2o-3",
    "versions": [
      {
        "version": "unspecified",
        "status": "affected",
        "versionType": "custom",
        "lessThanOrEqual": "latest"
      }
    ]
  }
]

References

huntr.com/bounties/7c1b7f27-52f3-4b4b-9d81-e277f5e0ab6b

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2024-1456