In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial.
History

Thu, 17 Oct 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared H2o
H2o h2o
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:h2o:h2o:3.40.0.4:*:*:*:*:python:*:*
Vendors & Products H2o
H2o h2o
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T18:18:36.358Z

Updated: 2024-08-01T21:18:06.328Z

Reserved: 2024-05-30T21:05:04.309Z

Link: CVE-2024-5550

cve-icon Vulnrichment

Updated: 2024-08-01T21:18:06.328Z

cve-icon NVD

Status : Modified

Published: 2024-06-06T19:16:09.473

Modified: 2024-11-21T09:47:54.640

Link: CVE-2024-5550

cve-icon Redhat

No data.