Home > Vulnerability Database > CVE-2024-45758

Mend.io Vulnerability Database

CVE-2024-45758

Date: September 5, 2024

H2O.ai H2O allows attackers to arbitrarily set the JDBC URL, enabling deserialization attacks, file reads, and command execution. Exploitation is possible if an attacker can POST to the /ImportSQLTable endpoint with a JSON body containing a connection_url field (e.g., a JDBC URL leveraging queryInterceptors or similar driver features). No official fix is available yet.

Severity Score

9.1

Related Resources (9)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-45758

Url: https://github.com/h2oai/h2o-3

Url: https://github.com/h2oai/h2o-3/issues/16622

Url: https://github.com/h2oai/h2o-3/issues/16425

Url: https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068

Url: https://github.com/h2oai/h2o-3/pull/16624

Url: https://github.com/h2oai/h2o-3/commit/f714edd6b8429c7a7211b779b6ec108a95b7382d

Url: https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb

Url: https://www.mend.io/vulnerability-database/CVE-2024-45758

Severity Score

9.1

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-45758

Date: September 5, 2024

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?