Description

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors.

INFO

Published Date :

2024-09-06T00:00:00.000Z

Last Modified :

2024-09-06T17:59:17.751Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2024-45758 vulnerability.

Vendors Products
H2o
  • H2o
H2oai
  • H2o-3
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-45758.

URL Resource
https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb cve-icon cve-icon
https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact