AIKIDO-2024-10414
h2o is vulnerable to Deserialization of Untrusted Data
92
Critical
h2o python
AIKIDO-2024-10414: h2o is vulnerable to Deserialization of Untrusted Data in versions 3.10.0.3 - 3.46.0.5.
Deserialization of Untrusted Data
Vuln in 3.10.0.3 - 3.46.0.5
Fixed in 3.46.0.6
CVE-2020-45758
TL;DR
Affected versions of this package are vulnerable to unauthenticated remote code execution via an unrestricted JDBC connection. Due to H2O using the getConnectionSafe method, it appears that the intention was to establish a secure connection. However, in practice, no restrictions are placed on the JDBC connection settings, allowing attackers to arbitrarily set the JDBC URL. This can lead to deserialization attacks, file reads, command execution, and other risks on the victim's server.
Who does this affect?
You're affected if you are using a version which is within vulnerability ranges.
How can it be fixed?
Upgrade h2o library to patch version.
Background info
Don’t be left in the dark
With in-house intel and access to top vulnerability databases, see it all with Aikido.
© 2024 Aikido Security BV | BE0792914919
🇪🇺 Grauwpoort 1, 9000 Ghent, Belgium
🇺🇸 95 Third St, 2nd Fl, San Francisco, CA 94103, US