CVE-2024-8862

A vulnerability, which was classified as critical, has been found in h2oai h2o-3 3.46.0.4. This issue affects the function getConnectionSafe of the file /dtale/chart-data/1 of the component JDBC Connection Handler. The manipulation of the argument query leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:h2o:h2o:3.46.0.4:*:*:*:*:*:*:*

History

20 Sep 2024, 15:47

Type Values Removed Values Added
References () https://rumbling-slice-eb0.notion.site/Unauthenticated-Remote-Command-Execution-via-Panda-df-query-9dc40f0477ee4b65806de7921876c222?pvs=4 - () https://rumbling-slice-eb0.notion.site/Unauthenticated-Remote-Command-Execution-via-Panda-df-query-9dc40f0477ee4b65806de7921876c222?pvs=4 - Exploit, Third Party Advisory
References () https://vuldb.com/?ctiid.277499 - () https://vuldb.com/?ctiid.277499 - Permissions Required, VDB Entry
References () https://vuldb.com/?id.277499 - () https://vuldb.com/?id.277499 - Third Party Advisory, VDB Entry
References () https://vuldb.com/?submit.403200 - () https://vuldb.com/?submit.403200 - Third Party Advisory, VDB Entry
CVSS v2 : 7.5
v3 : 7.3
v2 : 7.5
v3 : 9.8
CPE cpe:2.3:a:h2o:h2o:3.46.0.4:*:*:*:*:*:*:*
First Time H2o
H2o h2o

16 Sep 2024, 15:30

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-14 20:15

Updated : 2024-09-20 15:47


NVD link : CVE-2024-8862

Mitre link : CVE-2024-8862

CVE.ORG link : CVE-2024-8862


JSON object : View

Products Affected

h2o

  • h2o
CWE
CWE-502

Deserialization of Untrusted Data