CVE-2024-5550 (GCVE-0-2024-5550)
Vulnerability from cvelistv5 – Published: 2024-06-06 18:18 – Updated: 2025-10-15 12:49
VLAI?
Title
Exposure of Sensitive Information via Arbitrary System Path Lookup in h2oai/h2o-3
Summary
In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial.
Severity ?
5.3 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| h2oai | h2oai/h2o-3 |
Affected:
unspecified , ≤ latest
(custom)
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:h2oai:h2oai\\/h2o-3:3.40.0.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "h2oai\\/h2o-3",
"vendor": "h2oai",
"versions": [
{
"status": "affected",
"version": "3.40.0.4"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5550",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-07T13:44:00.477809Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T13:45:04.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:18:06.328Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "h2oai/h2o-3",
"vendor": "h2oai",
"versions": [
{
"lessThanOrEqual": "latest",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of \u0027/\u0027, exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T12:49:42.613Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc"
}
],
"source": {
"advisory": "e76372c2-39be-4984-a7c8-7048a75a25dc",
"discovery": "EXTERNAL"
},
"title": "Exposure of Sensitive Information via Arbitrary System Path Lookup in h2oai/h2o-3"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-5550",
"datePublished": "2024-06-06T18:18:36.358Z",
"dateReserved": "2024-05-30T21:05:04.309Z",
"dateUpdated": "2025-10-15T12:49:42.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:h2o:h2o:3.40.0.4:*:*:*:*:python:*:*\", \"matchCriteriaId\": \"071849AC-FE17-43A6-A67F-35760CABCAB2\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of \u0027/\u0027, exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial.\"}, {\"lang\": \"es\", \"value\": \"En h2oai/h2o-3 versi\\u00f3n 3.40.0.4, existe una vulnerabilidad de exposici\\u00f3n de informaci\\u00f3n confidencial debido a una funci\\u00f3n de b\\u00fasqueda de ruta arbitraria del sistema. Esta vulnerabilidad permite a cualquier usuario remoto ver las rutas completas en todo el sistema de archivos donde est\\u00e1 alojado h2o-3. Espec\\u00edficamente, el problema reside en la llamada API Typeahead, que cuando se solicita con una b\\u00fasqueda anticipada de \u0027/\u0027, expone el sistema de archivos ra\\u00edz, incluidos directorios como /home, /usr, /bin, entre otros. Esta vulnerabilidad podr\\u00eda permitir a los atacantes explorar todo el sistema de archivos y, cuando se combina con una vulnerabilidad de inclusi\\u00f3n de archivos locales (LFI), podr\\u00eda hacer que la explotaci\\u00f3n del servidor sea trivial.\"}]",
"id": "CVE-2024-5550",
"lastModified": "2024-11-21T09:47:54.640",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}], \"cvssMetricV30\": [{\"source\": \"security@huntr.dev\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}",
"published": "2024-06-06T19:16:09.473",
"references": "[{\"url\": \"https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc\", \"source\": \"security@huntr.dev\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security@huntr.dev\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-5550\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2024-06-06T19:16:09.473\",\"lastModified\":\"2025-10-15T13:15:46.893\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of \u0027/\u0027, exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial.\"},{\"lang\":\"es\",\"value\":\"En h2oai/h2o-3 versi\u00f3n 3.40.0.4, existe una vulnerabilidad de exposici\u00f3n de informaci\u00f3n confidencial debido a una funci\u00f3n de b\u00fasqueda de ruta arbitraria del sistema. Esta vulnerabilidad permite a cualquier usuario remoto ver las rutas completas en todo el sistema de archivos donde est\u00e1 alojado h2o-3. Espec\u00edficamente, el problema reside en la llamada API Typeahead, que cuando se solicita con una b\u00fasqueda anticipada de \u0027/\u0027, expone el sistema de archivos ra\u00edz, incluidos directorios como /home, /usr, /bin, entre otros. Esta vulnerabilidad podr\u00eda permitir a los atacantes explorar todo el sistema de archivos y, cuando se combina con una vulnerabilidad de inclusi\u00f3n de archivos locales (LFI), podr\u00eda hacer que la explotaci\u00f3n del servidor sea trivial.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:h2o:h2o:3.40.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E57282AC-B36C-452D-968F-DD4B940072BD\"}]}]}],\"references\":[{\"url\":\"https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc\",\"source\":\"security@huntr.dev\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T21:18:06.328Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-5550\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-07T13:44:00.477809Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:h2oai:h2oai\\\\/h2o-3:3.40.0.4:*:*:*:*:*:*:*\"], \"vendor\": \"h2oai\", \"product\": \"h2oai\\\\/h2o-3\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.40.0.4\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-07T13:45:00.641Z\"}}], \"cna\": {\"title\": \"Exposure of Sensitive Information via Arbitrary System Path Lookup in h2oai/h2o-3\", \"source\": {\"advisory\": \"e76372c2-39be-4984-a7c8-7048a75a25dc\", \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"cvssV3_0\": {\"scope\": \"UNCHANGED\", \"version\": \"3.0\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"h2oai\", \"product\": \"h2oai/h2o-3\", \"versions\": [{\"status\": \"affected\", \"version\": \"unspecified\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"latest\"}]}], \"references\": [{\"url\": \"https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of \u0027/\u0027, exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"shortName\": \"@huntr_ai\", \"dateUpdated\": \"2024-06-06T18:18:36.358Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-5550\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T21:18:06.328Z\", \"dateReserved\": \"2024-05-30T21:05:04.309Z\", \"assignerOrgId\": \"c09c270a-b464-47c1-9133-acb35b22c19a\", \"datePublished\": \"2024-06-06T18:18:36.358Z\", \"assignerShortName\": \"@huntr_ai\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…