
We found results for “”
CVE-2024-10553
Good to know:


Date: March 20, 2025
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0.
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
Deserialization of Untrusted Data
CWE-502Top Fix

Upgrade Version
Upgrade to version h2o - 3.46.0.6;ai.h2o:h2o-core:3.46.0.6;ai.h2o:h2o-core:3.46.0.6;https://github.com/h2oai/h2o-3.git - 3.46.0.6
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |