Medium Severity
h2o-3
Exposure of Full Filesystem Paths via Typeahead API in h2o-3
A vulnerability in h2o-3 version 3.40.0.4 allows remote users to view full paths in the entire file system where h2o-3 is hosted. This issue exposes sensitive information to unauthorized actors, potentially facilitating further exploitation. The vulnerability was reported to the vendor on June 9, 2023, but as of the information provided, a fixed version has not been specified.
Available publicly on May 14 2024
Threat Overview
The vulnerability arises from the Typeahead API endpoint in h2o-3, which, when queried with a specific request, returns a list of top-level directories in the server's filesystem. This behavior is unintended and poses a significant security risk, as it can reveal sensitive information about the server's structure, installed software, and potentially confidential data locations. This information could be leveraged by attackers in conjunction with other vulnerabilities, such as Local File Inclusion (LFI), to execute more severe attacks.
Attack Scenario
An attacker, with knowledge of the h2o-3 server's IP address and port, sends a crafted HTTP GET request to the Typeahead API endpoint. This request includes a parameter to list the contents of the root directory ('/'). The server responds with a JSON object containing the names of accessible top-level directories, thus revealing parts of the server's filesystem structure to the attacker.
Who is affected
Any instance of h2o-3 version 3.40.0.4 exposed to the internet or accessible within a network is vulnerable to this issue. Administrators and users of such instances are at risk of having their server's filesystem structure exposed to unauthorized remote users.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.
