Critical severityNVD Advisory· Published Nov 16, 2023· Updated Aug 29, 2024
Local File Inclusion in h2oai/h2o-3
CVE-2023-6038
Description
A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ai.h2o:h2o-coreMaven | <= 3.40.0.4 | — |
Affected products
2Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.