CVE-2024-45758

CRITICAL

H2o < 3.46.0.4 - Insecure Deserialization

Title source: rule

Description

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors.

References (2)

[Third Party Advisory] https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb

[Exploit, Third Party Advisory] https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068

Scores

CVSS v3 9.1

EPSS 0.0011

EPSS Percentile 28.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Classification

CWE

CWE-502

Status published

Affected Products (3)

h2o/h2o < 3.46.0.4

ai.h2o/h2o-core Maven

pypi/h2o PyPI

Timeline

Published Sep 06, 2024

Tracked Since Feb 18, 2026