Vulnerability Report- Sensitive Information Disclosure

42 views
Skip to first unread message

phoenix whitehat

unread,
Jan 13, 2021, 11:32:52 AM1/13/21
to h2os...@googlegroups.com
Hi Team,

I am a security researcher and i have found some bugs in your platform. One of which is as follows:

Weakness:   Sensitive Information Disclosure

Severity: High-Critical

Vulnerable Hosthttps://www.h2o.ai/

Summary:

After some research, I found a leak on GitHub that might lead to accessing sensitive data of private IP address and other sensitive information. 

GitHub is a truly awesome service but it is unwise to put any sensitive data in code that is hosted on GitHub and similar services.

Sensitive Information Leakage:

Leaked Database Credentials:  

1-

 https://github.com/h2oai/h2o-3/blob/fd53edd854a048e7344cec5c34dc71bf222d6620/scripts/db_check.pyv


2-

https://github.com/h2oai/h2o-3/blob/fd53edd854a048e7344cec5c34dc71bf222d6620/scripts/send_to_mysql.py


3-

https://github.com/h2oai/dai-deployment-examples/blob/92407a4435c4581d2cdd03f78b3dbe06c488fdcd/mojo-db-udf/config/lending_club_pg.conf


Other Sensitive Information:  

https://github.com/h2oai/h2o-2/blob/be350f3f2c2fb6f135cc07c41f83fd0e4f521ac1/bench/BMscripts/161_163


Impact:

High potential of an unauthorized access to PII data. 


Regards,
Phoenix  

Capture2.PNG

phoenix whitehat

unread,
Jan 18, 2021, 3:05:02 PM1/18/21
to h2os...@googlegroups.com
Any updates on this?
Reply all
Reply to author
Forward
0 new messages