CVE-2024-45758

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors.
Configurations

No configuration.

History

06 Sep 2024, 18:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.1
CWE CWE-502

06 Sep 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-06 16:15

Updated : 2024-09-06 18:35


NVD link : CVE-2024-45758

Mitre link : CVE-2024-45758

CVE.ORG link : CVE-2024-45758


JSON object : View

Products Affected

No product.

CWE
CWE-502

Deserialization of Untrusted Data