CVE-2024-5550 - Vulnerability Details - OpenCVE

In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
H2o	H2o

Configuration 1 [-]

cpe:2.3:a:h2o:h2o:3.40.0.4:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc

History

Wed, 15 Oct 2025 13:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-200

Wed, 15 Oct 2025 13:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-22

Tue, 15 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00175}`	epss `{'score': 0.01089}`

Wed, 12 Feb 2025 18:00:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:h2o:h2o:3.40.0.4:::::python::	cpe:2.3:a:h2o:h2o:3.40.0.4:::::::*

Thu, 17 Oct 2024 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		H2o H2o h2o
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:h2o:h2o:3.40.0.4:::::python::
Vendors & Products		H2o H2o h2o
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T18:18:36.358Z

Updated: 2025-10-15T12:49:42.613Z

Reserved: 2024-05-30T21:05:04.309Z

Link: CVE-2024-5550

Vulnrichment

Updated: 2024-08-01T21:18:06.328Z

NVD

Status : Modified

Published: 2024-06-06T19:16:09.473

Modified: 2025-10-15T13:15:46.893

Link: CVE-2024-5550

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5550", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-05-30T21:05:04.309Z", "datePublished": "2024-06-06T18:18:36.358Z", "dateUpdated": "2025-10-15T12:49:42.613Z"}, "containers": {"cna": {"title": "Exposure of Sensitive Information via Arbitrary System Path Lookup in h2oai/h2o-3", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2025-10-15T12:49:42.613Z"}, "descriptions": [{"lang": "en", "value": "In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial."}], "affected": [{"vendor": "h2oai", "product": "h2oai/h2o-3", "versions": [{"version": "unspecified", "status": "affected", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22"}]}], "source": {"advisory": "e76372c2-39be-4984-a7c8-7048a75a25dc", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "h2oai", "product": "h2oai\\/h2o-3", "cpes": ["cpe:2.3:a:h2oai:h2oai\\/h2o-3:3.40.0.4:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "3.40.0.4", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-07T13:44:00.477809Z", "id": "CVE-2024-5550", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T13:45:04.788Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:06.328Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:06.328Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5550", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-07T13:44:00.477809Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:h2oai:h2oai\\/h2o-3:3.40.0.4:*:*:*:*:*:*:*"], "vendor": "h2oai", "product": "h2oai\\/h2o-3", "versions": [{"status": "affected", "version": "3.40.0.4"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-07T13:45:00.641Z"}}], "cna": {"title": "Exposure of Sensitive Information via Arbitrary System Path Lookup in h2oai/h2o-3", "source": {"advisory": "e76372c2-39be-4984-a7c8-7048a75a25dc", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "h2oai", "product": "h2oai/h2o-3", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc"}], "descriptions": [{"lang": "en", "value": "In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-06T18:18:36.358Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5550", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:18:06.328Z", "dateReserved": "2024-05-30T21:05:04.309Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-06-06T18:18:36.358Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:h2o:h2o:3.40.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "E57282AC-B36C-452D-968F-DD4B940072BD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the entire filesystem, and when combined with a Local File Inclusion (LFI) vulnerability, could make exploitation of the server trivial."}, {"lang": "es", "value": "En h2oai/h2o-3 versi\u00f3n 3.40.0.4, existe una vulnerabilidad de exposici\u00f3n de informaci\u00f3n confidencial debido a una funci\u00f3n de b\u00fasqueda de ruta arbitraria del sistema. Esta vulnerabilidad permite a cualquier usuario remoto ver las rutas completas en todo el sistema de archivos donde est\u00e1 alojado h2o-3. Espec\u00edficamente, el problema reside en la llamada API Typeahead, que cuando se solicita con una b\u00fasqueda anticipada de '/', expone el sistema de archivos ra\u00edz, incluidos directorios como /home, /usr, /bin, entre otros. Esta vulnerabilidad podr\u00eda permitir a los atacantes explorar todo el sistema de archivos y, cuando se combina con una vulnerabilidad de inclusi\u00f3n de archivos locales (LFI), podr\u00eda hacer que la explotaci\u00f3n del servidor sea trivial."}], "id": "CVE-2024-5550", "lastModified": "2025-10-15T13:15:46.893", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-06T19:16:09.473", "references": [{"source": "security@huntr.dev", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@huntr.dev", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Secondary"}]}