cbcvebase.
CVE-2024-10553
published 2025-03-20

CVE-2024-10553: A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of…

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
1.44%
69.9th percentile
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0.

Affected

4 ranges
VendorProductVersion rangeFixed in
h2oh2o
h2oh2o>= 0 < 3.46.0.63.46.0.6
h2oaih2oai_h2o-3>= unspecified < 3.47.03.47.0
linuxlinux_kernel>= 0 < 6.12.8-16.12.8-1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.