CVE-2024-10553

Name of the Vulnerable Software and Affected Versions h2oai/h2o-3 versions 3.46.0.4 through 3.46.0.5

Description A vulnerability in the h2oai/h2o-3 REST API allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The issue exists in the endpoints "POST /99/ImportSQLTable" and "POST /3/SaveToHiveTable", where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath.

Recommendations For versions 3.46.0.4 through 3.46.0.5, update to version 3.47.0 or 3.46.0.6 to resolve the issue. As a temporary workaround, consider restricting access to the "POST /99/ImportSQLTable" and "POST /3/SaveToHiveTable" endpoints until a patch is available. Avoid using user-controlled JDBC URLs in the affected API endpoints until the issue is resolved.