Lucene search

GitHub Advisory DatabaseGHSA-GQRQ-J6PM-98C2

HistoryDec 14, 2023 - 3:30 p.m.

External Control of File Name or Path in h2oai/h2o-3

2023-12-1415:30:22

CWE-73

CWE-610

GitHub Advisory Database

github.com

external control

file path

unauthenticated attackers

arbitrary server files

h2oai

csv/xls

data manipulation

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

7.1 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

Remote unauthenticated attackers can overwrite arbitrary server files with attacker-controllable data. The data that the attacker can control is not entirely arbitrary. h2o writes a CSV/XLS/etc file to disk, so the attacker data is wrapped in quotations and starts with “C1”, if they’re exporting as CSV.

Affected configurations

Vulners

Node

h2oh2oRange≤3.44.0.2

CPENameOperatorVersion
h2ole3.44.0.2

CPE	Name	Operator	Version
	h2o	le	3.44.0.2

References

github.com/advisories/GHSA-gqrq-j6pm-98c2

huntr.com/bounties/a5d003dc-c23e-4c98-8dcf-35ba9252fa3c

nvd.nist.gov/vuln/detail/CVE-2023-6569

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

7.1 High

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

Related for GHSA-GQRQ-J6PM-98C2