CVE-2024-45758

Name of the Vulnerable Software and Affected Versions: H2O.ai H2O versions 3.46.0.4 and earlier

Description: The issue allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the "ImportSQLTable" URI with a JSON document containing a connection url property with any typical JDBC Connection URL attack payload.

Recommendations: For versions 3.46.0.4 and earlier, update to a patched version to resolve the issue. As a temporary workaround, consider restricting access to the ImportSQLTable URI to minimize the risk of exploitation. Avoid using the connection url property in the affected JSON documents until the issue is resolved.