CVE-2023-6038

high-risk
Published 2023-11-16

A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3.

Do I need to act?

!
63.3% chance of exploitation in next 30 days
EPSS score — higher than 37% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (1)

H2O

Affected Vendors

H2O

References (2)

Exploit https://huntr.com/bounties/380fce33-fec5-49d9-a101-12c972125d8c
Exploit https://huntr.com/bounties/380fce33-fec5-49d9-a101-12c972125d8c
50
/ 100
high-risk
Severity 26/34 · High
Exploitability 19/34 · Moderate
Exposure 5/34 · Minimal