A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.
The vulnerability results from improper handling of JDBC connection parameters, where input data is validated using regular expressions (regex). An attacker can bypass these security measures by using double URL encoding, which allows malicious parameters to be smuggled through. The crafted data then reaches the deserialization process (CWE-502), where untrusted data is processed without proper validation, leading to arbitrary code execution on the server side.
An attacker can gain full control over the server: execute arbitrary code (RCE), read sensitive system files, and consequently compromise or destroy processed data and the H2O environment.
H2O should be updated as soon as possible to a version containing the fix indicated in the vendor's references (commit 0298ee348f5c73673b7b542158081e79605f5f25 in the GitHub repository). Until the patch is deployed, network access to H2O instances should be restricted to trusted hosts only, and the ability to configure JDBC connections by untrusted users should be blocked.
H2O (h2o-3) in all versions up to and including 3.46.0.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HH2o
APPH2O3.0.0.2 – 3.46.0.8
Related vulnerabilities
RCE przez obejście blacklisty JDBC w REST API H2O-3
RCE poprzez deserializację w REST API h2oai/h2o-3 (JDBC URL)
H2O.ai H2O — RCE i odczyt plików przez niekontrolowany JDBC URL
An attacker is able to gain remote code execution on a server hosting the H2O dashboard through it's POJO mode...
A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service...