Deserialization Vulnerability in h2oai h2o-3 JDBC Connection Handler
CVE-2024-8862

9.8CRITICAL

Key Information:

Vendor

h2oai

Status
H2o
Vendor
CVE Published:
14 September 2024

What is CVE-2024-8862?

A deserialization vulnerability has been identified in the h2oai h2o-3 version 3.46.0.4, specifically affecting the getConnectionSafe method within the JDBC Connection Handler component. Through improper handling of the query argument, an attacker can exploit this vulnerability remotely, leading to potential unauthorized access and manipulation of data. Despite early notifications to h2oai regarding the vulnerability, there has been no response from the vendor, raising concerns about the promptness of necessary mitigative actions. Organizations using the affected version of h2o-3 should immediately assess their systems and apply relevant security measures.

References

https://vuldb.com/?id.277499
https://vuldb.com/?ctiid.277499
https://vuldb.com/?submit.403200

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.
CVE-2024-8862 : Deserialization Vulnerability in h2oai h2o-3 JDBC Connection Handler