CVE-2024-45758 — H2O.ai H2O vulnerable to deserialization attacks via a JDBC Connection URL

Description

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors.

How to fix CVE-2024-45758

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed

Is CVE-2024-45758 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, <= 3.46.0.7
from 0, <= 3.46.0.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-45758
PATCHgithub.com/h2oai/h2o-3
WEBgist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb
WEBgithub.com/h2oai/h2o-3/commit/f714edd6b8429c7a7211b779b6ec108a95b7382d
WEB