CVE-2023-6038: Missing Authorization

November 16, 2023 (updated February 8, 2024)

An attacker is able to read any file on the server hosting the H2O dashboard without any authentication.

References

huntr.com/bounties/380fce33-fec5-49d9-a101-12c972125d8c
nvd.nist.gov/vuln/detail/CVE-2023-6038

Detect and mitigate CVE-2023-6038 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →