6 matches found
CVE-2024-7768
A vulnerability in the /3/ImportFiles endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET parameter, path, which can be recursively set to reference itself. This leads the server to repeatedly call its own endpoint, eventually...
CVE-2024-8062 Denial of Service in h2oai/h2o-3
A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint performs a HEAD request to verify the existence of a specified resource without setting a timeout. An attacker can exploit this by sending multiple requests to an attacker-controll...
CVE-2024-8062
CVE-2024-8062 affects the h2oai/h2o-3 package (version 3.46.0) via the typeahead endpoint. The vulnerability arises when the endpoint uses a HEAD request to verify resource existence without a timeout, which can be exploited by sending many requests to an attacker‑controlled server that hangs, ca...
CVE-2024-10572 Denial of Service and Arbitrary File Write in h2oai/h2o-3
In h2oai/h2o-3 version 3.46.0.1, the runtool command exposes classes in the water.tools package through the ast parser. This includes the XGBoostLibExtractTool class, which can be exploited to shut down the server and write large files to arbitrary directories, leading to a denial of service...
CVE-2024-10572 Denial of Service and Arbitrary File Write in h2oai/h2o-3
In h2oai/h2o-3 version 3.46.0.1, the runtool command exposes classes in the water.tools package through the ast parser. This includes the XGBoostLibExtractTool class, which can be exploited to shut down the server and write large files to arbitrary directories, leading to a denial of service...
CVE-2024-7765 Denial of Service in h2oai/h2o-3
In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of service. The server becomes unresponsive due to memory exhaustion and a large number of concurrent slow-running jobs. This issue arises from the improper handling...