How severe is CVE-2023-6038?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.3 out of 10.

What type of vulnerability is CVE-2023-6038?

This is classified as CWE-862, which is a common weakness in software security.

CVE-2023-6038 - CRITICAL Severity | CVSS 9.3

Vulnerability Description

A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3.

Related Vulnerabilities

CVE-2020-36730

CRITICAL

CVSS:9.3(Critical)

The CMP for WordPress is vulnerable to authorization bypass due to a missing capability check on the cmp_get_post_detail(), niteo_export_csv(), and cmp_disable_comingsoon_ajax() functions in versions ...

CWE-8622020

CVE-2018-10866

CRITICAL

CVSS:9.1(Critical)

It was discovered that the /configuration view of redhat-certification 7 does not perform an authorization check and it allows an unauthenticated user to remove a "system" file, that is an xml file wi...

CWE-8622018

CVE-2018-7702

CRITICAL

CVSS:9.1(Critical)

SecurEnvoy SecurMail before 9.2.501 allows remote attackers to spoof transmission of arbitrary e-mail messages, resend e-mail messages to arbitrary recipients, or modify arbitrary message bodies and a...

CWE-8622018

CVE-2019-18581

CRITICAL

CVSS:9.1(Critical)

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API. A re...

CWE-8622019

CVE-2019-19885

CRITICAL

CVSS:9.1(Critical)

In Bender COMTRAXX, user authorization is validated for most, but not all, routes in the system. A user with knowledge about the routes can read and write configuration data without prior authorizatio...

CWE-8622019

CVE-2020-19038

CRITICAL

CVSS:9.1(Critical)

File Deletion vulnerability in Halo 0.4.3 via delBackup.

CWE-8622020