cbcvebase.
CVE-2024-5979
published 2024-06-27

CVE-2024-5979: In h2oai/h2o-3 version 3.46.0, the `run_tool` command in the `rapids` component allows the `main` function of any class under the `water.tools` namespace to be…

PriorityP337high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
0.79%
51.6th percentile
In h2oai/h2o-3 version 3.46.0, the `run_tool` command in the `rapids` component allows the `main` function of any class under the `water.tools` namespace to be called. One such class, `MojoConvertTool`, crashes the server when invoked with an invalid argument, causing a denial of service.

Affected

3 ranges
VendorProductVersion rangeFixed in
h2oh2o
h2oh2o0 – 3.46.0
h2oaih2oai_h2o-3>= unspecified < 3.46.0.63.46.0.6
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.