CVE-2024-5550: Exposure of Sensitive Information via Arbitrary System Path Lookup in h2oai/h2o-3
First published: Thu Jun 06 2024(Updated: )
In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial.
Credit: security@huntr.dev security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/h2o | <=3.40.0.4 | |
| H2o H2o Python | =3.40.0.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/weakness
- agent/title
- agent/type
- agent/description
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-x234-r5fg-x52m
- alias/CVE-2024-5550
- agent/software-canonical-lookup
- agent/references
- agent/author
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/softwarecombine
- collector/nvd-api
- agent/last-modified-date
- agent/tags
- agent/trending
- package-manager/pip
- vendor/h2o
- canonical/h2o h2o python
- version/h2o h2o python/3.40.0.4