CVE-2024-10553 CRITICAL

CVE-2024-10553: Jdbc Deserialization in h2oai/h2o-3

Vendor H2Oai
Product h2oai/h2o-3
Weakness CWE-502 · Unsafe deserialization
Published March 20, 2025
Last update March 20, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated