CVE-2024-10553 – h2o

Package

Manager: pip
Name: h2o
Vulnerable Version: >=0 <3.46.0.6

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.02545 pctl0.84923

Details

H2O Deserialization of Untrusted Data Vulnerability A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.46.0.6.

Metadata

Created: 2025-03-20T12:32:39Z
Modified: 2025-03-20T19:38:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-h7xg-cmpp-48hf/GHSA-h7xg-cmpp-48hf.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-h7xg-cmpp-48hf
Finding: F096
Auto approve: 1