CVE-2024-45758

CRITICAL

H2O < 3.46.0.4 - Unauthenticated Remote Code Execution via JDBC Connection URL Injection

Title source: llm

Description

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors.

References (2)

Core 2

Core References

Third Party Advisory

https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb

Exploit, Third Party Advisory

https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068

Scores

CVSS v3 9.1

EPSS 0.0011

EPSS Percentile 28.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (3)

ai.h2o/h2o-core 0Maven

h2o/h2o < 3.46.0.4

pypi/h2o 0PyPI

Published Sep 06, 2024

Tracked Since Feb 18, 2026