5.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-5550

GHSA ID

GHSA-x234-r5fg-x52m

EPSS Score

0.39564%

CWE

CWE-200

Published

6/6/2024

Updated

6/6/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-5550

CVE-2024-5550: Arbitrary system path lookup in h20

In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial.

(GitHub Advisory)

5.3

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-5550

GHSA ID

GHSA-x234-r5fg-x52m

EPSS Score

0.39564%

CWE

CWE-200

Published

6/6/2024

Updated

6/6/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
h2o	pip	<= 3.40.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly identifies the Typeahead API endpoint as the attack vector. While no specific code is shown, web API handlers typically follow a pattern where endpoint methods like handle_request process input parameters. The exposure of root directory listings when '/' is submitted strongly suggests this function: 1) Accepts raw user input as a filesystem path 2) Uses it in directory listing operations 3) Fails to validate() against path traversal or root access. The high confidence comes from the precise vulnerability pattern matching common directory traversal flaws in web handlers, combined with the explicit API endpoint attribution in multiple advisory sources.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In **o*i/**o-* v*rsion *.**.*.*, *n *xposur* o* s*nsitiv* in*orm*tion vuln*r**ility *xists *u* to *n *r*itr*ry syst*m p*t* lookup ***tur*. T*is vuln*r**ility *llows *ny r*mot* us*r to vi*w *ull p*t*s in t** *ntir* *il* syst*m w**r* **o-* is *ost**. S

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s t** Typ****** *PI *n*point *s t** *tt**k v**tor. W*il* no sp**i*i* *o** is s*own, w** *PI **n*l*rs typi**lly *ollow * p*tt*rn w**r* *n*point m*t*o*s lik* `**n*l*_r*qu*st` pro**ss input p*r*m*t*rs. T

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-5550: Arbitrary system path lookup in h20

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI