Lucene search

@huntr_aiCVELIST:CVE-2024-5979

HistoryJun 27, 2024 - 6:40 p.m.

CVE-2024-5979 Denial of Service via Invalid Argument in h2oai/h2o-3

2024-06-2718:40:07

CWE-400

@huntr_ai

www.cve.org

cve-2024-5979

denial of service

h2o-3

invalid argument

mojoconverttool

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

In h2oai/h2o-3 version 3.46.0, the run_tool command in the rapids component allows the main function of any class under the water.tools namespace to be called. One such class, MojoConvertTool, crashes the server when invoked with an invalid argument, causing a denial of service.

CNA Affected

[
  {
    "vendor": "h2oai",
    "product": "h2oai/h2o-3",
    "versions": [
      {
        "version": "unspecified",
        "status": "affected",
        "versionType": "custom",
        "lessThanOrEqual": "latest"
      }
    ]
  }
]

References

huntr.com/bounties/d80a2139-fc03-44b7-b739-de41e323b458

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for CVELIST:CVE-2024-5979