PT-2025-12172 · H2O.Ai · H2O-3
Published
2025-03-20
·
Updated
2025-03-20
·
CVE-2024-6863
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
h2oai/h2o-3 version 3.46.0
Description
The issue allows an attacker to encrypt any files on the target server with a key of their choosing through an endpoint exposing a custom EncryptionTool. This can result in ransomware-like behavior, making it difficult for the target to recover the keys needed for decryption. The attacker can also overwrite the chosen key.
Recommendations
For h2oai/h2o-3 version 3.46.0, consider disabling access to the custom EncryptionTool endpoint as a temporary workaround until a patch is available. Restrict access to sensitive files and directories to minimize the risk of exploitation.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
H2O-3