CVE-2024-10553
published 2025-03-20CVE-2024-10553: A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of…
PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
1.44%
69.9th percentile
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| h2o | h2o | — | — |
| h2o | h2o | >= 0 < 3.46.0.6 | 3.46.0.6 |
| h2oai | h2oai_h2o-3 | >= unspecified < 3.47.0 | 3.47.0 |
| linux | linux_kernel | >= 0 < 6.12.8-1 | 6.12.8-1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
H2O Deserialization of Untrusted Data Vulnerability
ghsa·2025-03-20
CVE-2024-10553 [CRITICAL] CWE-502 H2O Deserialization of Untrusted Data Vulnerability
H2O Deserialization of Untrusted Data Vulnerability
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.46.0.6.
OSV
H2O Deserialization of Untrusted Data Vulnerability
osv·2025-03-20
CVE-2024-10553 [CRITICAL] H2O Deserialization of Untrusted Data Vulnerability
H2O Deserialization of Untrusted Data Vulnerability
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.46.0.6.
OSV
CVE-2024-53689: In the Linux kernel, the following vulnerability has been resolved:
block: Fix potential deadlock while freezing queue and acquiring sysfs_lock
For
osv·2025-01-11
CVE-2024-53689 CVE-2024-53689: In the Linux kernel, the following vulnerability has been resolved:
block: Fix potential deadlock while freezing queue and acquiring sysfs_lock
For
In the Linux kernel, the following vulnerability has been resolved:
block: Fix potential deadlock while freezing queue and acquiring sysfs_lock
For storing a value to a queue attribute, the queue_attr_store function
first freezes the queue (->q_usage_counter(io)) and then acquire
->sysfs_lock. This seems not correct as the usual ordering should be to
acquire ->sysfs_lock before freezing the queue. This incorrect ordering
causes the following lockdep splat which we are able to reproduce always
simply by accessing /sys/kernel/debug file using ls command:
[ 57.597146] WARNING: possible circular locking dependency detected
[ 57.597154] 6.12.0-10553-gb86545e02e8c #20 Tainted: G W
[ 57.597162] ------------------------------------------------------
[ 57.597168] ls/4605 is trying to acquire loc
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published