Critical

h2o-3

Local File Inclusion Vulnerability

A Local File Inclusion (LFI) vulnerability was identified in the h2o-3 API version 3.40.0.4, allowing unauthenticated remote attackers to read any file on the server's filesystem. This vulnerability is present in the default installation of the software, requiring no user interaction to exploit. The issue was reported to the developers on June 8, 2023, but as of the last update, a fixed version has not been specified.

Available publicly on Nov 16 2023

9.3

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Credit:

danmcinerney
Threat Overview

The vulnerability arises from the h2o-3 API's handling of file paths in its ImportFiles and ParseSetup endpoints. By manipulating the 'path' parameter in the ImportFiles endpoint or the 'source_frames' parameter in the ParseSetup endpoint, an attacker can include local files from the server's filesystem. This is possible due to insufficient validation of user-supplied input, allowing directory traversal characters to be used to access arbitrary files. The exploitation of this vulnerability does not require authentication, making it possible for any remote attacker to read sensitive files on the server, such as configuration files, source code, or even system files, depending on the server's permissions.

Attack Scenario

An attacker discovers an h2o-3 API server running version 3.40.0.4 accessible over the internet. The attacker uses the curl command to send a specially crafted request to the ImportFiles endpoint, specifying a path parameter that includes directory traversal characters to reference the '/etc/passwd' file. The server processes the request and returns the contents of the '/etc/passwd' file in the response, thereby leaking sensitive information.

Who is affected

Any organization or individual using the h2o-3 API version 3.40.0.4 in its default configuration is vulnerable to this attack. The vulnerability allows remote, unauthenticated attackers to read any file on the server's filesystem that the server process has access to. This could lead to the disclosure of sensitive information, potentially compromising the security of the server and the data it hosts.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.