CVE-2023-6569: External Control of File Name or Path in h2oai/h2o-3
First published: Thu Dec 14 2023(Updated: )
External Control of File Name or Path in h2oai/h2o-3
Credit: security@huntr.dev security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/h2o | <=3.44.0.2 | |
| H2O.ai H2O | =3.40.0.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-6569?
CVE-2023-6569 is considered a high-severity vulnerability due to the potential for unauthorized file overwrites.
How do I fix CVE-2023-6569?
To fix CVE-2023-6569, upgrade the h2o package to version 3.44.0.3 or later, or implement access controls to restrict file overwriting permissions.
Who is affected by CVE-2023-6569?
Users of h2o versions up to and including 3.44.0.2 and h2o version 3.40.0.4 are affected by CVE-2023-6569.
What kind of attacks can CVE-2023-6569 facilitate?
CVE-2023-6569 can facilitate remote unauthenticated attacks that allow attackers to overwrite arbitrary server files.
What types of files are involved in CVE-2023-6569?
CVE-2023-6569 can involve overwriting files such as CSV and XLS that are written to disk by the h2o application.
- collector/github-advisory-latest
- alias/GHSA-gqrq-j6pm-98c2
- alias/CVE-2023-6569
- collector/github-advisory
- agent/weakness
- agent/author
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/title
- agent/severity
- agent/references
- agent/event
- agent/description
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-api
- package-manager/pip
- vendor/h2o
- canonical/h2o.ai h2o
- version/h2o.ai h2o/3.40.0.4