{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7768", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-08-13T18:55:25.587Z", "datePublished": "2025-03-20T10:10:48.544Z", "dateUpdated": "2025-10-15T12:49:52.281Z"}, "containers": {"cna": {"title": "Denial of Service in h2oai/h2o-3", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2025-10-15T12:49:52.281Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, `path`, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests."}], "affected": [{"vendor": "h2oai", "product": "h2oai/h2o-3", "versions": [{"version": "unspecified", "status": "affected", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/3fe640df-bef4-4072-8890-0d12bc2818f6"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "cweId": "CWE-770"}]}], "source": {"advisory": "3fe640df-bef4-4072-8890-0d12bc2818f6", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-20T17:50:42.537851Z", "id": "CVE-2024-7768", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T18:16:20.641Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:h2o:h2o:3.46.1:*:*:*:*:*:*:*", "matchCriteriaId": "586854EB-3FFB-4887-9E51-2CE97CCE8B53", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, `path`, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests."}, {"lang": "es", "value": "Una vulnerabilidad en el endpoint `/3/ImportFiles` de h2oai/h2o-3 versi\u00f3n 3.46.1 permite a un atacante provocar una denegaci\u00f3n de servicio. El endpoint utiliza un \u00fanico par\u00e1metro GET, `path`, que puede configurarse recursivamente para que se autoreferencia. Esto provoca que el servidor llame repetidamente a su propio endpoint, lo que acaba saturando la cola de solicitudes y dejando al servidor incapacitado para gestionar otras solicitudes."}], "id": "CVE-2024-7768", "lastModified": "2025-10-15T13:15:52.797", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2025-03-20T10:15:37.133", "references": [{"source": "security@huntr.dev", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/3fe640df-bef4-4072-8890-0d12bc2818f6"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security@huntr.dev", "type": "Primary"}]}

{}

{"created": "2025-07-13T11:32:21.587341+00:00", "updated": "2025-07-13T11:32:21.587418+00:00", "vendors": ["h2oai", "h2oai$PRODUCT$h2o-3"]}