CVE-2023-6569
CRITICAL9.3EPSS 0.21%External Control of File Name or Path in h2oai/h2o-3
發布日:2023/12/14修改日:2026/4/30
描述
Remote unauthenticated attackers can overwrite arbitrary server files with attacker-controllable data. The data that the attacker can control is not entirely arbitrary. h2o writes a CSV/XLS/etc file to disk, so the attacker data is wrapped in quotations and starts with "C1", if they're exporting as CSV.
受影響套件(1)
- PyPI/h2ofrom 0, < 3.46.0.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H |