CVE-2024-45758

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb	Third Party Advisory
https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:h2o:h2o:*:*:*:*:*:*:*:*

History

29 Sep 2025, 13:56

Type	Values Removed	Values Added
First Time		H2o h2o H2o
CPE		cpe:2.3:a:h2o:h2o::::::::
References	~~() https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb -~~	() https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb - Third Party Advisory
References	~~() https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068 -~~	() https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068 - Exploit, Third Party Advisory

06 Sep 2024, 18:35

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-06 16:15

Updated : 2025-09-29 13:56

NVD link : CVE-2024-45758

Mitre link : CVE-2024-45758

CVE.ORG link : CVE-2024-45758

JSON object : View

Products Affected

h2o

h2o

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2024-45758", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2024-09-06T16:15:03.517", "references": [{"url": "https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors."}, {"lang": "es", "value": "H2O.ai H2O hasta la versi\u00f3n 3.46.0.4 permite a los atacantes configurar arbitrariamente la URL de JDBC, lo que genera ataques de deserializaci\u00f3n, lectura de archivos y ejecuci\u00f3n de comandos. La explotaci\u00f3n puede ocurrir cuando un atacante tiene acceso para publicar en la URL ImportSQLTable con un documento JSON que contiene una propiedad connection_url con cualquier payload t\u00edpico de ataque de URL de conexi\u00f3n de JDBC, como una que utiliza queryInterceptors."}], "lastModified": "2025-09-29T13:56:10.890", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:h2o:h2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F53A82D5-5FCE-456E-A66F-2E46759ABC8C", "versionEndIncluding": "3.46.0.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}