Description
Directory traversal vulnerability in H2O before 1.4.5 and 1.5.x before 1.5.0-beta2, when the file.dir directive is enabled, allows remote attackers to read arbitrary files via a crafted URL.
References (3)
Core 3
Core References
Vendor Advisory third-party-advisory
x_refsource_jvndb
http://jvndb.jvn.jp/jvndb/JVNDB-2015-000136
Vendor Advisory third-party-advisory
x_refsource_jvn
http://jvn.jp/en/jp/JVN65602714/index.html
Vendor Advisory x_refsource_confirm
https://h2o.examp1e.net/vulnerabilities.html#CVE-2015-5638
Scores
EPSS
0.0165
EPSS Percentile
73.7%
Details
CWE
CWE-22
Status
published
Products (2)
dena/h20
< 1.4.4
dena/h20
< 1.5.0
Published
Sep 20, 2015
Tracked Since
Feb 18, 2026