CVE-2023-6569 : External Control of File Name or Path in h2oai/h2o-3

External Control of File Name or Path in h2oai/h2o-3

Published 2023-12-14 13:15:55

Updated 2023-12-18 20:14:18

Source huntr.dev

View at NVD, CVE.org

Vulnerability category: File inclusion

Products affected by CVE-2023-6569

H2O » H2O » Version: 3.40.0.4
cpe:2.3:a:h2o:h2o:3.40.0.4:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 35 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H	3.9	4.7	huntr.dev
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: None Integrity: Low Availability: High
8.2	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H	3.9	4.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: High

CWE-73 External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

Assigned by: security@huntr.dev (Secondary)
CWE-610 Externally Controlled Reference to a Resource in Another Sphere

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

Assigned by: nvd@nist.gov (Primary)

https://huntr.com/bounties/a5d003dc-c23e-4c98-8dcf-35ba9252fa3c

Remote Arbitrary System File Overwrite vulnerability found in h2o-3
Exploit

Jump to