Lucene search

@huntr_aiVULNRICHMENT:CVE-2024-1456

HistoryApr 16, 2024 - 12:00 a.m.

CVE-2024-1456 S3 Bucket Takeover in h2oai/h2o-3

2024-04-1600:00:13

CWE-840

@huntr_ai

github.com

cve-2024-1456

s3 bucket

takeover

h2oai/h2o-3

unauthorized

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON

An S3 bucket takeover vulnerability was identified in the h2oai/h2o-3 repository. The issue involves the S3 bucket ‘http://s3.amazonaws.com/h2o-training’, which was found to be vulnerable to unauthorized takeover.

CNA Affected

[
  {
    "vendor": "h2oai",
    "product": "h2oai/h2o-3",
    "versions": [
      {
        "version": "unspecified",
        "status": "affected",
        "versionType": "custom",
        "lessThanOrEqual": "latest"
      }
    ]
  }
]

References

huntr.com/bounties/7c1b7f27-52f3-4b4b-9d81-e277f5e0ab6b

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

6.8 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for VULNRICHMENT:CVE-2024-1456