Bug 2451798 (CVE-2026-33490)
| Summary: | CVE-2026-33490 h3: H3: Information disclosure due to incorrect path prefix validation | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | jcantril, rojacob |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in H3, a minimal HTTP framework. The `mount()` method, responsible for routing requests to sub-applications, incorrectly uses a simple string comparison to check path prefixes. This allows a remote attacker to craft a URL that bypasses the intended path segment boundary. Consequently, middleware designed for specific administrative paths could be triggered for unrelated public paths, potentially leading to the exposure of sensitive information or unintended access due to incorrect privilege flags being set in the request context.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2452017, 2452018 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-03-26 18:01:54 UTC
|