Critical

h2o-3

Local File Inclusion Vulnerability

A Local File Inclusion (LFI) vulnerability was identified in the h2o-3 API version 3.40.0.4, allowing unauthenticated remote attackers to read any file on the server's filesystem. This vulnerability is present in the default installation of the software, requiring no user interaction to exploit. The issue was reported to the developers on June 8, 2023, but as of the last update, a fixed version has not been specified.

Available publicly on Nov 16 2023

9.3

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Credit:

danmcinerney
Remediation Steps
  • Update to a version of H2O-3 that patches this vulnerability as soon as it becomes available.
  • As an immediate mitigation, restrict access to the H2O-3 API endpoints to trusted networks or VPNs only.
  • Implement input validation for the 'path' and 'source_frames' parameters to reject suspicious or unexpected input.
  • Regularly review and update the security configurations of all API endpoints to ensure they are not accessible by unauthorized users.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.