CVE-2024-7768 — H2O Vulnerable to Denial of Service (DoS) via `/3/ImportFiles` Endpoint

Description

A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, `path`, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests.

How to fix CVE-2024-7768

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed

Is CVE-2024-7768 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, <= 3.46.1
from 0, <= 3.46.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-7768
PATCHgithub.com/h2oai/h2o-3
WEBgithub.com/h2oai/h2o-3/blob/7d418fa19d3ab434f742818e37f891bef9102c97/h2o-core/src/main/java/water/api/ImportFilesHandler.java#L19
WEBhuntr.com/bounties/3fe640df-bef4-4072-8890-0d12bc2818f6