krasinski

2 exploits Active since Jun 2024
CVE-2024-10553 WRITEUP CRITICAL WRITEUP
h2o < 3.46.0.6 - Unauthenticated Remote Code Execution via JDBC URL Deserialization
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0.
CVSS 9.8
CVE-2024-5979 WRITEUP HIGH WRITEUP
h2o 3.46.0 - Denial of Service via run_tool Command in rapids Component
In h2oai/h2o-3 version 3.46.0, the `run_tool` command in the `rapids` component allows the `main` function of any class under the `water.tools` namespace to be called. One such class, `MojoConvertTool`, crashes the server when invoked with an invalid argument, causing a denial of service.
CVSS 7.5