CVE-2024-8862

Name of the Vulnerable Software and Affected Versions: h2oai h2o-3 version 3.46.0.4

Description: A critical issue has been found in the getConnectionSafe function of the component JDBC Connection Handler, affecting the file /dtale/chart-data/1. The manipulation of the query argument leads to deserialization. This issue can be initiated remotely. The vendor was contacted about this disclosure but did not respond.

Recommendations: For h2oai h2o-3 version 3.46.0.4, as a temporary workaround, consider disabling the getConnectionSafe function until a patch is available. Restrict access to the /dtale/chart-data/1 endpoint to minimize the risk of exploitation. Avoid using the query parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.