Medium

h2o-3

Exposure of Full Filesystem Paths via Typeahead API in h2o-3

A vulnerability in h2o-3 version 3.40.0.4 allows remote users to view full paths in the entire file system where h2o-3 is hosted. This issue exposes sensitive information to unauthorized actors, potentially facilitating further exploitation. The vulnerability was reported to the vendor on June 9, 2023, but as of the information provided, a fixed version has not been specified.

Available publicly on May 14 2024

5.3

CVE:

CVE-2024-5550

CWE:

200:Exposure of Sensitive Information to an Unauthorized Actor

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Credit:

danmcinerney
AssessDetect

Premium

Remediate
Remediation Steps
  • Ensure that access to the h2o-3 instance is restricted to trusted networks or users.
  • Monitor for patches or updates from h2o.ai that address this vulnerability and apply them as soon as available.
  • Consider implementing additional access controls or authentication mechanisms for sensitive API endpoints.
  • Review and follow best practices for securing h2o-3 instances and sensitive data.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.