CVE-2023-6038

HIGH EXPLOITED NUCLEI

h2o-3 <3.40.0.4 - LFI

Title source: llm

Description

A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3.

Nuclei Templates (1)

H2O ImportFiles - Local File Inclusion

HIGHVERIFIEDby danmcinerney,byt3bl33d3r

Shodan: title:"H2O Flow" || http.title:"h2o flow"

FOFA: title="h2o flow"

References (1)

[Exploit] https://huntr.com/bounties/380fce33-fec5-49d9-a101-12c972125d8c

Scores

CVSS v3 7.5

EPSS 0.6328

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2024-01-22

CWE

CWE-862

Status published

Products (2)

ai.h2o/h2o-core 0Maven

h2o/h2o

Published Nov 16, 2023

Tracked Since Feb 18, 2026