9.3

CVE-2023-6038

Exploit

EPSS 63.28%
Veröffentlicht 16.11.2023 17:15:09
Zuletzt bearbeitet 21.11.2024 08:43:01
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

H2o ≫ H2o Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	63.28%	0.983

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security@huntr.dev	9.3	3.9	4.7	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://huntr.com/bounties/380fce33-fec5-49d9-a101-12c972125d8c

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-6038

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-6038

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-6038

EUVD