Denial of Service via Invalid Argument in h2oai/h2o-3
CVE-2024-5979

7.5HIGH

Key Information:

Vendor: H2oai
Status: H2oai/h2o-3
Vendor: CVE Published:; 27 June 2024

What is CVE-2024-5979?

In H2O.ai's H2O-3 version 3.46.0, a vulnerability exists within the run_tool command of the rapids component. This flaw allows the main function of any class under the water.tools namespace to be invoked. Specifically, invoking the MojoConvertTool class with invalid arguments results in server crashes, thereby causing a denial of service condition. This vulnerability highlights the need for careful validation of inputs in command-line tools to prevent disruptions in service.

Affected Version(s)

h2oai/h2o-3 < 3.46.0.6

References

https://huntr.com/bounties/d80a2139-fc03-44b7-b739-de41e3...

https://github.com/h2oai/h2o-3/commit/d0899f8e0f7a584b604...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

CVSS V3.0

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 27, 2024

JSON

H2oai

What is CVE-2024-5979?

Affected Version(s)

References

CVSS V3.1

CVSS V3.0

Timeline