CVE-2023-6038 CRITICAL

CVE-2023-6038: Local File Inclusion in h2oai/h2o-3

Vendor H2Oai
Product h2oai/h2o-3
Weakness CWE-862 · Missing authorization
Published November 16, 2023
Last update August 29, 2024
View on NVD All CVEs

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3.

Key dates

02Disclosure timeline

November 16, 2023 CVE published
August 29, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-3711 Brizy – Page Builder <= 2.4.43 - Missing Authorization CVE-2024-12253 Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal <= 3.1.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update / Data Access CVE-2025-58073 Arbitrary Mattermost Team can be joined by manipulating the OAuth state CVE-2023-33995 WordPress Photo Gallery by 10Web plugin <= 1.8.15 - Broken Access Control vulnerability CVE-2020-36712 Kali Forms <= 2.1.1 - Unauthenticated Arbitrary Post Deletion