CRITICAL🇵🇱 Wersja polska

CVE-2024-10553

CVSS 9.8v3.0pub. 2025-03-20upd. 2025-07-14

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0.

🤖 AI Analysis
How it works

An attacker sends an HTTP POST request to the /99/ImportSQLTable or /3/SaveToHiveTable endpoints, passing a crafted JDBC URL controlled by the user. This URL is then passed to the DriverManager.getConnection method without proper validation. If a MySQL or PostgreSQL driver is available in the application's classpath, deserialization of data supplied by the attacker occurs, leading to arbitrary code execution on the server.

Impact

An unauthenticated remote attacker can gain full control over the server by executing arbitrary code, threatening the confidentiality, integrity, and availability of the system.

Mitigation & patch

Update h2oai/h2o-3 to version 3.47.0 or newer, in which the vulnerability has been patched. As a temporary workaround, consider restricting network access to REST API endpoints exclusively to trusted hosts.

Who is affected

h2oai/h2o-3 REST API in version 3.46.0.4

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • H2o

    APP
    H2O
    3.46.0.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2026-3960CRITICAL9.8PL ✓ten sam produkt

RCE przez obejście blacklisty JDBC w REST API H2O-3

CVE-2025-6544CRITICAL9.8PL ✓ten sam produkt

Deserializacja w H2O umożliwia RCE i odczyt plików systemowych

CVE-2024-45758CRITICAL9.1PL ✓ten sam produkt

H2O.ai H2O — RCE i odczyt plików przez niekontrolowany JDBC URL

CVE-2023-6016CRITICAL9.8ten sam produkt

An attacker is able to gain remote code execution on a server hosting the H2O dashboard through it's POJO mode...

CVE-2024-10550HIGH7.5ten sam produkt

A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service...