CVE-2023-6038

HIGH EXPLOITED NUCLEI

h2o-3 3.40.0.4 - Unauthenticated Local File Inclusion via ImportFiles and ParseSetup Endpoints

Title source: llm

Exploitation Summary

CVE-2023-6038 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3.

Nuclei Templates (1)

H2O ImportFiles - Local File Inclusion

HIGHVERIFIEDby danmcinerney,byt3bl33d3r

Shodan: title:"H2O Flow" || http.title:"h2o flow"

FOFA: title="h2o flow"

References (1)

Core 1

Core References

Exploit

https://huntr.com/bounties/380fce33-fec5-49d9-a101-12c972125d8c

Scores

CVSS v3 7.5

EPSS 0.0434

EPSS Percentile 89.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2024-01-22

CWE

CWE-862

Status published

Products (2)

ai.h2o/h2o-core 0Maven

h2o/h2o

Published Nov 16, 2023

Tracked Since Feb 18, 2026