CVE-2024-5986

Name of the Vulnerable Software and Affected Versions h2o-3 version 3.46.0.1

Description A flaw exists in h2o-3 that permits remote attackers to write arbitrary data to any file on the server. The issue is due to exploiting the /3/Parse API endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the /3/Frames/framename/export API endpoint. Successful exploitation could lead to remote code execution and complete system access, including the ability to overwrite critical files like private SSH keys or script files. The vulnerable parameters are not explicitly mentioned.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.