CVE-2023-6569 – h2o

Package

Manager: pip
Name: h2o
Vulnerable Version: >=0 <=3.44.0.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:L/SA:H

EPSS: 0.00174 pctl0.39149

Details

External Control of File Name or Path in h2oai/h2o-3 Remote unauthenticated attackers can overwrite arbitrary server files with attacker-controllable data. The data that the attacker can control is not entirely arbitrary. h2o writes a CSV/XLS/etc file to disk, so the attacker data is wrapped in quotations and starts with "C1", if they're exporting as CSV.

Metadata

Created: 2023-12-14T15:30:22Z
Modified: 2023-12-15T03:12:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-gqrq-j6pm-98c2/GHSA-gqrq-j6pm-98c2.json
CWE IDs: ["CWE-610", "CWE-73"]
Alternative ID: GHSA-gqrq-j6pm-98c2
Finding: F098
Auto approve: 1