Home > Vulnerability Database > CVE-2024-10553

Mend.io Vulnerability Database

CVE-2024-10553

Good to know:

Date: March 20, 2025

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0.

Severity Score

9.8

Related Resources (5)

Url: https://github.com/h2oai/h2o-3

Url: https://github.com/h2oai/h2o-3/commit/ac1d642b4d86f10a02d75974055baf2a4b2025ac

Url: https://huntr.com/bounties/e6f550dd-eda2-428c-a740-ed8f893a084b

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-10553

Url: https://www.mend.io/vulnerability-database/CVE-2024-10553

Severity Score

9.8

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Top Fix

Upgrade Version

Upgrade to version h2o - 3.46.0.6;ai.h2o:h2o-core:3.46.0.6;ai.h2o:h2o-core:3.46.0.6;https://github.com/h2oai/h2o-3.git - 3.46.0.6

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-10553

Good to know:

Date: March 20, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?