1. Home
  2. Vulnerabilities
  3. CVE-2023-6038

CVE-2023-6038

CVSS v3.1 7.5 (High)
75% Progress
EPSS 7.26 % (94th)
7.26% Progress
Affected Products 1
Advisories 1
NVD Status Modified
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Graph Web & Social Timeline

A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3.

Weaknesses
CWE-862
Missing Authorization
CVE Status
PUBLISHED
NVD Status
Modified
CNA
huntr.dev
Published Date
2023-11-16 17:15:09
(10 months ago)
Updated Date
2024-04-16 12:15:08
(5 months ago)

Affected Products

H2o

Configuration #1

    CPE23 From Up To
  H2o cpe:2.3:a:h2o:h2o:-