CVE-2023-6569 · CVEKit

cve.orgen

52 chars

External Control of File Name or Path in h2oai/h2o-3

NVDen

52 chars

External Control of File Name or Path in h2oai/h2o-3

OSV.deven

304 chars

Remote unauthenticated attackers can overwrite arbitrary server files with attacker-controllable data. The data that the attacker can control is not entirely arbitrary. h2o writes a CSV/XLS/etc file to disk, so the attacker data is wrapped in quotations and starts with "C1", if they're exporting as CSV.

GHSAen

304 chars

Remote unauthenticated attackers can overwrite arbitrary server files with attacker-controllable data. The data that the attacker can control is not entirely arbitrary. h2o writes a CSV/XLS/etc file to disk, so the attacker data is wrapped in quotations and starts with "C1", if they're exporting as CSV.

NVDes

60 chars

Control externo del nombre o ruta del archivo en h2oai/h2o-3

CVSS metrics across sources

5

Version	Type	Source	Base	Exp	Impact	Vector
3.0	Primary	cve.org	9.3	—	—	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H
3.0	Primary	cve.org	9.3	—	—	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H