A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0.
An attacker sends an HTTP POST request to the /99/ImportSQLTable or /3/SaveToHiveTable endpoints, passing a crafted JDBC URL controlled by the user. This URL is then passed to the DriverManager.getConnection method without proper validation. If a MySQL or PostgreSQL driver is available in the application's classpath, deserialization of data supplied by the attacker occurs, leading to arbitrary code execution on the server.
An unauthenticated remote attacker can gain full control over the server by executing arbitrary code, threatening the confidentiality, integrity, and availability of the system.
Update h2oai/h2o-3 to version 3.47.0 or newer, in which the vulnerability has been patched. As a temporary workaround, consider restricting network access to REST API endpoints exclusively to trusted hosts.
h2oai/h2o-3 REST API in version 3.46.0.4
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HH2o
APPH2O3.46.0.4
Related vulnerabilities
RCE przez obejście blacklisty JDBC w REST API H2O-3
Deserializacja w H2O umożliwia RCE i odczyt plików systemowych
H2O.ai H2O — RCE i odczyt plików przez niekontrolowany JDBC URL
An attacker is able to gain remote code execution on a server hosting the H2O dashboard through it's POJO mode...
A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service...