CVE-2024-5979

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: h2oai/h2o-3 version 3.46.0

Description: The issue allows the main function of any class under the water.tools namespace to be called through the run tool command in the rapids component. Specifically, the MojoConvertTool class can cause the server to crash when invoked with an invalid argument, resulting in a denial of service.

Recommendations: For h2oai/h2o-3 version 3.46.0, consider restricting access to the run tool command in the rapids component to prevent invocation of the MojoConvertTool class with invalid arguments until a patch is available.

Exploit

Fix

DoS

Resource Exhaustion

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-94

Related Identifiers

CVE-2024-5979

GHSA-58M3-RCVP-F9WW

Affected Products

H2O-3

CVE-2024-5979

Weakness Enumeration

Related Identifiers

Affected Products

References · 7