CVE-2024-8862

Опубликовано: 14 сент. 2024

Источник: nvd

CVSS3: 7.3

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

A vulnerability, which was classified as critical, has been found in h2oai h2o-3 3.46.0.4. This issue affects the function getConnectionSafe of the file /dtale/chart-data/1 of the component JDBC Connection Handler. The manipulation of the argument query leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Ссылки

https://rumbling-slice-eb0.notion.site/Unauthenticated-Remote-Command-Execution-via-Panda-df-query-9dc40f0477ee4b65806de7921876c222?pvs=4
Exploit
Third Party Advisory
https://vuldb.com/?ctiid.277499
Permissions Required
VDB Entry
https://vuldb.com/?id.277499
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.403200
Third Party Advisory
VDB Entry

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:h2o:h2o:3.46.0.4:*:*:*:*:*:*:*

EPSS

Процентиль: 84%

0.02124

Низкий

7.3 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-502

Связанные уязвимости

GHSA-fg5m-m723-7mv6

CVSS3: 7.3

github

больше 1 года назад

D-Tale Command Execution Vulnerability

EPSS

Процентиль: 84%

0.02124

Низкий

7.3 High

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-502