What is CVE-2023-6038?

CVE-2023-6038 is a vulnerability in H2O, a popular web server, that allows an attacker to read any file on the server hosting the H2O dashboard without any authentication.

How severe is CVE-2023-6038?

CVE-2023-6038 has a severity rating of 9.3 (critical).

What software is affected by CVE-2023-6038?

H2O is affected by CVE-2023-6038.

How can an attacker exploit CVE-2023-6038?

An attacker can exploit CVE-2023-6038 to read any file on the server hosting the H2O dashboard without any authentication.

Is there a fix for CVE-2023-6038?

Currently, there is no known fix for CVE-2023-6038. It is recommended to keep the H2O software up to date and follow any available security recommendations from the vendor.

Vulnerability/
CVE-2023-6038

critical

9.3

CWE

862

EPSS

4.998%

16/11/2023

29/8/2024

CVE-2023-6038: Local File Inclusion in h2oai/h2o-3

First published: Thu Nov 16 2023(Updated: )

A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3.

Credit: security@huntr.dev security@huntr.dev

Affected Software	Affected Version	How to fix
H2o H2o
maven/ai.h2o:h2o-core	<=3.40.0.4

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-6038?
CVE-2023-6038 is a vulnerability in H2O, a popular web server, that allows an attacker to read any file on the server hosting the H2O dashboard without any authentication.
How severe is CVE-2023-6038?
CVE-2023-6038 has a severity rating of 9.3 (critical).
What software is affected by CVE-2023-6038?
H2O is affected by CVE-2023-6038.
How can an attacker exploit CVE-2023-6038?
An attacker can exploit CVE-2023-6038 to read any file on the server hosting the H2O dashboard without any authentication.
Is there a fix for CVE-2023-6038?
Currently, there is no known fix for CVE-2023-6038. It is recommended to keep the H2O software up to date and follow any available security recommendations from the vendor.

agent/type
agent/first-publish-date
agent/severity
collector/epss-latest
source/FIRST
agent/epss
agent/weakness
agent/author
agent/references
agent/softwarecombine
agent/event
agent/tags
agent/title
collector/github-advisory-latest
source/GitHub
alias/GHSA-6mv8-95x5-xcq9
alias/CVE-2023-6038
agent/software-canonical-lookup
collector/nvd-cve
source/NVD
collector/nvd-api
collector/github-advisory
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/trending
package-manager/maven
vendor/h2o
canonical/h2o h2o

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.