CVE-2024-5550 — MEDIUM (5.3)

Vulnerability Description

In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
H2O	H2O	3.40.0.4

Related Weaknesses (CWE)

CWE-22

References

https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dcExploitThird Party Advisory
https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dcExploitThird Party Advisory

FAQ

What is CVE-2024-5550?

CVE-2024-5550 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths ...

How severe is CVE-2024-5550?

CVE-2024-5550 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-5550?

Check the references section above for vendor advisories and patch information. Affected products include: H2O H2O.