CVE-2024-5979
published 2024-06-27CVE-2024-5979: In h2oai/h2o-3 version 3.46.0, the `run_tool` command in the `rapids` component allows the `main` function of any class under the `water.tools` namespace to be…
PriorityP337high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
0.79%
51.6th percentile
In h2oai/h2o-3 version 3.46.0, the `run_tool` command in the `rapids` component allows the `main` function of any class under the `water.tools` namespace to be called. One such class, `MojoConvertTool`, crashes the server when invoked with an invalid argument, causing a denial of service.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| h2o | h2o | — | — |
| h2o | h2o | 0 – 3.46.0 | — |
| h2oai | h2oai_h2o-3 | >= unspecified < 3.46.0.6 | 3.46.0.6 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
h2o vulnerable to unexpected POST request shutting down server
osv·2024-06-27
CVE-2024-5979 [HIGH] h2o vulnerable to unexpected POST request shutting down server
h2o vulnerable to unexpected POST request shutting down server
In h2oai/h2o-3 version 3.46.0, the `run_tool` command in the `rapids` component allows the `main` function of any class under the `water.tools` namespace to be called. One such class, `MojoConvertTool`, crashes the server when invoked with an invalid argument, causing a denial of service.
GHSA
h2o vulnerable to unexpected POST request shutting down server
ghsa·2024-06-27
CVE-2024-5979 [HIGH] CWE-400 h2o vulnerable to unexpected POST request shutting down server
h2o vulnerable to unexpected POST request shutting down server
In h2oai/h2o-3 version 3.46.0, the `run_tool` command in the `rapids` component allows the `main` function of any class under the `water.tools` namespace to be called. One such class, `MojoConvertTool`, crashes the server when invoked with an invalid argument, causing a denial of service.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-06-27
Published