CVE-2023-6038

Name of the Vulnerable Software and Affected Versions h2o-3 version 3.40.0.4

Description A Local File Inclusion (LFI) issue exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The issue can be exploited by making specific GET or POST requests to the "ImportFiles" and "ParseSetup" endpoints, respectively.

Recommendations For version 3.40.0.4, as a temporary workaround, consider restricting access to the "ImportFiles" and "ParseSetup" endpoints until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.