H2O Flow Unauthenticated Access

critical Web App Scanning Plugin ID 114969

Language:

Synopsis

H2O Flow Unauthenticated Access

Description

H2O Flow is an open-source user interface for H2O, an open-source, distributed and scalable machine learning and predictive analytics platform. By default, H2O Flow does not require authentication to access the application. This allows an attacker to access sensitive data. This detection is included in the AI and LLM category.

Solution

Authentication should be enforced to prevent unauthorized access to the H2O Flow interface.

See Also

https://docs.h2o.ai/

https://docs.h2o.ai/h2o/latest-stable/h2o-docs/flow.html

Plugin Details

Severity: Critical

ID: 114969

Type: remote

Family: Artificial Intelligence

Published: 9/26/2025

Updated: 9/26/2025

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: High

Score: 7.5

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Critical

Base Score: 10

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVSS Score Source: Tenable

Reference Information

CWE: 284

OWASP: 2010-A8, 2013-A7, 2017-A5, 2021-A1

WASC: Insufficient Authorization

CAPEC: 19, 441, 478, 479, 502, 503, 536, 546, 550, 551, 552, 556, 558, 562, 563, 564, 578

DISA STIG: APSC-DV-000460

HIPAA: 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-1.4.2

PCI-DSS: 3.2-6.5.8