GHSA-5W3J-GWGH-4RFV H2O affected by a deserialization vulnerability

A deserialization vulnerability exists in h2oai/h2o-3 versions = 3.46.0.7, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and...

CVE-2025-6544

A deserialization vulnerability exists in h2oai/h2o-3 versions = 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and...

CVE-2025-6544 Deserialization Vulnerability in h2oai/h2o-3

A deserialization vulnerability exists in h2oai/h2o-3 versions = 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and...

CVE-2025-6544 Deserialization Vulnerability in h2oai/h2o-3

A deserialization vulnerability exists in h2oai/h2o-3 versions = 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and...

H2O 安全漏洞

H2O is an open source in-memory platform for distributed, scalable machine learning from H2O.ai. A security vulnerability exists in H2O 3.46.0.8 and earlier versions, which stems from improper handling of JDBC connection parameters and could lead to reading arbitrary system files and executing...

BIT-NIFI-2023-40037 Apache NiFi: Incomplete Validation of JDBC and JNDI Connection URLs

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custo...

CVE-2025-5662 Deserialization Vulnerability in h2oai/h2o-3

A deserialization vulnerability exists in the H2O-3 REST API POST /99/ImportSQLTable that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution RCE due to improper validation of JDBC connection parameters when using a Key-Value format. The vulnerability is present i...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the SQLManager class, exploitable when the user defines JDBC connections as a key-value pair. An attacker can execute arbitrary code and access unauthorized system files by injecting malicious...

PT-2025-34686 · Dataease · Dataease

Name of the Vulnerable Software and Affected Versions: DataEase versions prior to 2.10.12 Description: DataEase is an open-source business intelligence and data visualization tool. Prior to version 2.10.12, a H2 JDBC Remote Code Execution RCE bypass exists. If the JDBC URL meets specific criteria...

Unspecified Vulnerability in Oracle Database Server (CNVD-2025-24078)

Oracle Database Server is a set of relational database management system of the United States Oracle Oracle. The database management system provides data management, distributed processing and other functions. Oracle Database Server has a security vulnerability in Oracle Database Server JDBC that...

DataEase 安全漏洞

DataEase is an open source data visualization and analysis tool from DataEase Open Source. It is used to help users quickly analyze data and gain insight into business trends for business improvement and optimization. DataEase version 2.10.11 before the existence of a security vulnerability , the...

Apache InLong 代码问题漏洞

Apache InLong is a one-stop mass data integration framework from the Apache USA Foundation. It provides automated, secure, and reliable data transfer capabilities. A code issue vulnerability exists in Apache InLong versions 1.13.0 to 2.1.0, which stems from deserializing untrustworthy data and...

DataEase 安全漏洞

DataEase is an open source data visualization and analysis tool from DataEase Open Source. It is used to help users quickly analyze data and gain insight into business trends for business improvement and optimization. A security vulnerability exists in DataEase versions prior to 2.10.8 that...

Red Hat Infinispan 日志信息泄露漏洞

Red Hat Infinispan is a distributed caching and key-value NoSQL data store software from Red Hat, Inc. A log information disclosure vulnerability exists in Red Hat Infinispan that stems from the use of JDBCPING, where sensitive information may be exposed through the logging mechanism, leading to...

IBM Data Virtualization Manager 安全漏洞

IBM Data Virtualization Manager is a general-purpose query engine from International Business Machines IBM that performs distributed and virtualized queries across databases, data warehouses, data lakes, and streaming data. A code execution vulnerability exists in IBM Data Virtualization Manager...

Snowflake JDBC 安全漏洞

Snowflake JDBC is an application from Snowflake, Inc. provides a JDBC type 4 driver that supports the core functionality and allows Java programs to connect to Snowflak. A security vulnerability exists in Snowflake JDBC versions 3.2.6 through 3.19.1, which stems from having incorrect security...

PT-2024-31754

Name of the Vulnerable Software and Affected Versions: H2O.ai H2O versions 3.46.0.4 and earlier Description: The issue allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to pos...

TIBCO Software Jaspersoft JasperReports Server Security Vulnerability

TIBCO Software Jaspersoft JasperReports Server is a report generation tool from TIBCO Software, USA. The product supports PDF, HTML, XLS, CSV and XML file output formats. A security vulnerability exists in TIBCO Software Jaspersoft JasperReports Server versions 8.0.4 through 9.0.0, which stems fr...

CVE-2023-35701

Improper Control of Generation of Code 'Code Injection' vulnerability in Apache Hive. The vulnerability affects the Hive JDBC driver component and it can potentially lead to arbitrary code execution on the machine/endpoint that the JDBC driver client is running. The malicious user must have...

CVE-2023-4552 Java Database Connectivity (JDBC) URL Manipulation

Improper Input Validation vulnerability in OpenText AppBuilder on Windows, Linux allows Probe System Files. An authenticated AppBuilder user with the ability to create or manage existing databases can leverage them to exploit the AppBuilder server - including access to its local file system. This...