H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors.
References
Configurations
No configuration.
History
06 Sep 2024, 18:35
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.1 |
CWE | CWE-502 |
06 Sep 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-06 16:15
Updated : 2024-09-06 18:35
NVD link : CVE-2024-45758
Mitre link : CVE-2024-45758
CVE.ORG link : CVE-2024-45758
JSON object : View
Products Affected
No product.
CWE
CWE-502
Deserialization of Untrusted Data