GHSA-X6PH-R535-3VJW apko is vulnerable to attack through incorrect permissions in /etc/ld.so.cache and other files

It was discovered that the ld.so.cache in images generated by apko had file system permissions mode 0666: bash-5.3 find / -type f -perm -o+w /etc/ld.so.cache This issue was introduced in commit 04f37e2 "generate /etc/ld.so.cache 1629"v0.27.0. Impact This potentially allows a local unprivileged us...

CVE-2024-45758

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connectionurl property with a...

PT-2025-18919 · H2O.Ai · H2O-3

Name of the Vulnerable Software and Affected Versions: h2oai/h2o-3 affected versions not specified Description: A vulnerability in the S3 bucket configuration allows public write access to the 'h2o-release' bucket. This could enable an attacker to overwrite any file in the bucket, potentially...

PT-2025-12045 · H2O.Ai · H2O-3

Name of the Vulnerable Software and Affected Versions: h2oai/h2o-3 version 3.46.0.1 Description: A denial of service DoS attack can be performed by exploiting a vulnerability in the "/3/ParseSetup" endpoint. This endpoint applies a user-specified regular expression to a user-controllable string,...

PT-2025-12044 · H2O.Ai · H2O-3

Name of the Vulnerable Software and Affected Versions: h2oai/h2o-3 version 3.46.0.1 Description: A denial of service DoS attack is possible due to a vulnerability in the "/3/Parse" endpoint. This endpoint uses a user-specified string to construct a regular expression, which is then applied to...

PT-2025-12046

Name of the Vulnerable Software and Affected Versions: h2oai/h2o-3 versions 3.46.0.4 through 3.46.0.5 Description: A vulnerability in the h2oai/h2o-3 REST API allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The issue exists in the endpoints...

CVE-2024-45758

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connectionurl property with a...

CVE-2024-45758

CVE-2024-45758 affects H2O.ai H2O (up to and including 3.46.0.4). The issue arises from the ability to arbitrarily set the JDBC URL via the ImportSQLTable POST JSON payload containing a connection_url, which enables deserialization attacks, file reads, and command execution. Root cause relates to...

CVE-2024-45758

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connectionurl property with a...

CVE-2024-45758

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connectionurl property with a...