9.1

CVE-2024-45758

Exploit

EPSS 0.11%
Veröffentlicht 06.09.2024 16:15:03
Zuletzt bearbeitet 29.09.2025 13:56:10
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

H2o ≫ H2o Version <= 3.46.0.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.291

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb

Third Party Advisory

https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-45758

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-45758

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-45758

EUVD