CVE-2024-5550

Name of the Vulnerable Software and Affected Versions h2oai/h2o-3 version 3.40.0.4

Description The issue is caused by an arbitrary system path lookup feature, allowing any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the problem resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial.

Recommendations For version 3.40.0.4, as a temporary workaround, consider restricting access to the Typeahead API call until a patch is available. Avoid using the Typeahead API call with a typeahead lookup of '/' to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.