CVE-2024-6863

Exploit

EPSS 0.33%
Veröffentlicht 20.03.2025 10:10:30
Zuletzt bearbeitet 15.07.2025 15:52:34
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

Encryption of Arbitrary Files with Attacker-Controlled Key in h2oai/h2o-3

In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target server with a key of their choosing. The chosen key can also be overwritten, resulting in ransomware-like behavior. This vulnerability makes it possible for an attacker to encrypt arbitrary files with keys of their choice, making it exceedingly difficult for the target to recover the keys needed for decryption.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

H2o ≫ H2o Version3.46.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.245

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	6.5	3.9	2.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE-749 Exposed Dangerous Method or Function

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

https://huntr.com/bounties/10f55937-0cba-4530-897f-2abf30ed5270

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-6863

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-6863

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-6863

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-6863