H2O.ai H2O vulnerable to deserialization attacks via a JDBC Connection URL

🗓️ 06 Sep 2024 18:31:31Reported by GitHub Advisory DatabaseType

H2O up to 3.46.0.4 vulnerable to deserialization, file reads, and command execution via a JDBC connection_url in ImportSQLTable.

Reporter	Title	Published	Views	Family All 19
Huntr	Mysql Jdbc Attck about CVE-2024-45758 and CVE-2024-10553 Bypass	3 Jun 202505:09	–	huntr
Circl	CVE-2024-45758	6 Sep 202419:06	–	circl
CNNVD	H2O 安全漏洞	6 Sep 202400:00	–	cnnvd
CNVD	H2O Remote Code Execution Vulnerability	11 Sep 202400:00	–	cnvd
CVE	CVE-2024-45758	6 Sep 202400:00	–	cve
Cvelist	CVE-2024-45758	6 Sep 202400:00	–	cvelist
GitLab Advisory Database	H2O.ai H2O vulnerable to deserialization attacks via a JDBC Connection URL	6 Sep 202400:00	–	gitlab
Tenable Nessus	H2O-3 Multiple Deserialization Vulnerabilities	16 Dec 202400:00	–	nessus
NVD	CVE-2024-45758	6 Sep 202416:15	–	nvd
OSV	GHSA-HRMC-JMP7-MPM2 H2O.ai H2O vulnerable to deserialization attacks via a JDBC Connection URL	6 Sep 202418:31	–	osv

Vulners

Node

h2o h2oRange≤3.46.0.7pip

ai.h2o h2o-coreRange≤3.46.0.7maven

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2024-45758
gist	www.gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb
spear-shield	www.spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068
github	www.github.com/h2oai/h2o-3/issues/16425
github	www.github.com/h2oai/h2o-3/issues/16622
github	www.github.com/h2oai/h2o-3/pull/16624
github	www.github.com/h2oai/h2o-3/commit/f714edd6b8429c7a7211b779b6ec108a95b7382d
github	www.github.com/advisories/GHSA-hrmc-jmp7-mpm2

23 Sep 2025 18:25Current

7.3High risk

Vulners AI Score7.3

CVSS 3.19.1

EPSS0.00106

SSVC