H2O local file inclusion vulnerability

2023-11-1618:30:31

Google

osv.dev

local file inclusion

h2o-3

unauthenticated remote attackers

arbitrary files

server permissions

specific requests

importfiles

parsesetup

version 3.40.0.4

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

9.2 High

AI Score

Confidence

High

0.071 Low

EPSS

Percentile

94.0%

JSON

A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3.

CPENameOperatorVersion
ai.h2o:h2o-coreeq3.10.2.1
ai.h2o:h2o-coreeq3.10.4.6
ai.h2o:h2o-coreeq3.0.0.25
ai.h2o:h2o-coreeq3.10.2.2
ai.h2o:h2o-coreeq3.24.0.1
ai.h2o:h2o-coreeq3.18.0.5
ai.h2o:h2o-coreeq3.8.0.4
ai.h2o:h2o-coreeq3.28.0.2
ai.h2o:h2o-coreeq3.8.1.3
ai.h2o:h2o-coreeq3.28.0.4

Name	Operator	Version
ai.h2o:h2o-core	eq	3.10.2.1
ai.h2o:h2o-core	eq	3.10.4.6
ai.h2o:h2o-core	eq	3.0.0.25
ai.h2o:h2o-core	eq	3.10.2.2
ai.h2o:h2o-core	eq	3.24.0.1
ai.h2o:h2o-core	eq	3.18.0.5
ai.h2o:h2o-core	eq	3.8.0.4
ai.h2o:h2o-core	eq	3.28.0.2
ai.h2o:h2o-core	eq	3.8.1.3
ai.h2o:h2o-core	eq	3.28.0.4