// For flags

CVE-2024-5550

Exposure of Sensitive Information via Arbitrary System Path Lookup in h2oai/h2o-3

Severity Score

5.3
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial.

En h2oai/h2o-3 versión 3.40.0.4, existe una vulnerabilidad de exposición de información confidencial debido a una función de búsqueda de ruta arbitraria del sistema. Esta vulnerabilidad permite a cualquier usuario remoto ver las rutas completas en todo el sistema de archivos donde está alojado h2o-3. Específicamente, el problema reside en la llamada API Typeahead, que cuando se solicita con una búsqueda anticipada de '/', expone el sistema de archivos raíz, incluidos directorios como /home, /usr, /bin, entre otros. Esta vulnerabilidad podría permitir a los atacantes explorar todo el sistema de archivos y, cuando se combina con una vulnerabilidad de inclusión de archivos locales (LFI), podría hacer que la explotación del servidor sea trivial.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
Poc
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-05-30 CVE Reserved
  • 2024-06-06 CVE Published
  • 2024-08-01 CVE Updated
  • 2024-10-18 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
H2o
Search vendor "H2o"
 H2o
Search vendor "H2o" for product "H2o"
*-
Affected
H2oai
Search vendor "H2oai"
 H2oai/h2o-3
Search vendor "H2oai" for product "H2oai/h2o-3"
*-
Affected