Описание
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0.
Ссылки
- Patch
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:h2o:h2o:3.46.0.4:*:*:*:*:*:*:*
EPSS
Процентиль: 88%
0.03693
Низкий
9.8 Critical
CVSS3
Дефекты
CWE-502
Связанные уязвимости
CVSS3: 9.8
github
11 месяцев назад
H2O Deserialization of Untrusted Data Vulnerability
EPSS
Процентиль: 88%
0.03693
Низкий
9.8 Critical
CVSS3
Дефекты
CWE-502