H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors.
Metrics
Affected Vendors & Products
References
History
Fri, 06 Sep 2024 18:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
H2oai
H2oai h2o-3 |
|
Weaknesses | CWE-502 | |
CPEs | cpe:2.3:a:h2oai:h2o-3:*:*:*:*:*:*:*:* | |
Vendors & Products |
H2oai
H2oai h2o-3 |
|
Metrics |
cvssV3_1
|
Fri, 06 Sep 2024 15:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors. | |
References |
|
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2024-09-06T00:00:00
Updated: 2024-09-06T17:59:17.751Z
Reserved: 2024-09-06T00:00:00
Link: CVE-2024-45758
Vulnrichment
Updated: 2024-09-06T17:53:03.513Z
NVD
Status : Awaiting Analysis
Published: 2024-09-06T16:15:03.517
Modified: 2024-09-06T18:35:13.043
Link: CVE-2024-45758
Redhat
No data.