Description

In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial.

INFO

Published Date :

2024-06-06T18:18:36.358Z

Last Modified :

2025-10-15T12:49:42.613Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-5550 vulnerability.

Vendors Products
H2o
  • H2o
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-5550.

URL Resource
https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact