GHSA-h7xg-cmpp-48hf

Source

https://github.com/advisories/GHSA-h7xg-cmpp-48hf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-h7xg-cmpp-48hf/GHSA-h7xg-cmpp-48hf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-h7xg-cmpp-48hf

Aliases

CVE-2024-10553

Published

2025-03-20T12:32:39Z

Modified

2025-03-20T20:00:53.538046Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

H2O Deserialization of Untrusted Data Vulnerability

Details

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.46.0.6.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-20T19:07:18Z",
    "cwe_ids": [
        "CWE-502"
    ],
    "nvd_published_at": "2025-03-20T10:15:17Z",
    "severity": "CRITICAL"
}

References

Affected packages

PyPI / h2o

Package

Name: h2o; View open source insights on deps.dev
Purl: pkg:pypi/h2o

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.46.0.6

Affected versions

3.*

3.10.0.3

3.10.0.6

3.10.0.7

3.10.0.8

3.10.0.10

3.10.3.3

3.10.3.4

3.10.4.1

3.10.4.2

3.10.4.3

3.10.4.4

3.10.4.6

3.10.4.8

3.16.0.1

3.16.0.2

3.16.0.3

3.16.0.4

3.18.0.1

3.18.0.2

3.18.0.3

3.18.0.4

3.18.0.5

3.18.0.6

3.18.0.7

3.18.0.8

3.18.0.9

3.18.0.10

3.18.0.11

3.20.0.4

3.20.0.5

3.20.0.6

3.20.0.7

3.20.0.8

3.22.0.1

3.22.0.2

3.22.0.3

3.22.0.4

3.22.0.5

3.22.1.1

3.22.1.2

3.22.1.3

3.22.1.4

3.22.1.5

3.22.1.6

3.24.0.1

3.24.0.2

3.24.0.3

3.24.0.4

3.24.0.5

3.26.0.1

3.26.0.2

3.26.0.3

3.26.0.4

3.26.0.5

3.26.0.6

3.26.0.8

3.26.0.9

3.26.0.10

3.26.0.11

3.28.0.1

3.28.0.2

3.28.0.3

3.28.1.2

3.28.1.3

3.30.0.1

3.30.0.2

3.30.0.3

3.30.0.4

3.30.0.5

3.30.0.6

3.30.0.7

3.30.1.1

3.30.1.2

3.30.1.3

3.32.0.2

3.32.0.3

3.32.0.4

3.32.0.5

3.32.1.1

3.32.1.2

3.32.1.3

3.32.1.4

3.32.1.5

3.32.1.6

3.32.1.7

3.34.0.3

3.34.0.7

3.34.0.8

3.36.0.2

3.36.0.3

3.36.0.4

3.36.1.1

3.36.1.2

3.36.1.3

3.36.1.4

3.36.1.5

3.38.0.1

3.38.0.2

3.38.0.3

3.38.0.4

3.40.0.1

3.40.0.2

3.40.0.3

3.40.0.4

3.42.0.1

3.42.0.2

3.42.0.3

3.42.0.4

3.44.0.1

3.44.0.2

3.44.0.3

3.46.0.1

3.46.0.2

3.46.0.3

3.46.0.4

3.46.0.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-h7xg-cmpp-48hf/GHSA-h7xg-cmpp-48hf.json"

Maven / ai.h2o:h2o-core

Package

Name: ai.h2o:h2o-core; View open source insights on deps.dev
Purl: pkg:maven/ai.h2o/h2o-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.46.0.6

Affected versions

0.*

0.1.3

0.1.3.1

0.1.4

0.1.5

0.1.6

0.1.8

0.1.9

0.1.10

0.1.11

0.1.12

0.1.13

0.1.14

0.1.15

0.1.16

0.1.17

0.1.18

0.1.19

0.1.20

0.1.21

0.1.22

0.1.23

0.1.24

0.1.25

0.2.3.5

0.2.3.6

0.3.0.2

3.*

3.0.0.5

3.0.0.8

3.0.0.12

3.0.0.16

3.0.0.18

3.0.0.19

3.0.0.22

3.0.0.25

3.0.0.26

3.0.0.30

3.0.1.2

3.0.1.3

3.0.1.4

3.2.0.1

3.2.0.2

3.2.0.3

3.2.0.4

3.2.0.5

3.2.0.6

3.2.0.7

3.2.0.8

3.2.0.9

3.4.0.1

3.6.0.1

3.6.0.2

3.6.0.3

3.6.0.4

3.6.0.5

3.6.0.7

3.6.0.8

3.6.0.10

3.6.0.11

3.6.0.12

3.8.0.1

3.8.0.2

3.8.0.3

3.8.0.4

3.8.0.5

3.8.0.6

3.8.1.1

3.8.1.2

3.8.1.3

3.8.1.4

3.8.2.1

3.8.2.2

3.8.2.3

3.8.2.4

3.8.2.5

3.8.2.6

3.8.2.7

3.8.2.8

3.8.2.9

3.8.2.11

3.8.3.1

3.8.3.2

3.8.3.3

3.8.3.4

3.10.0.1

3.10.0.2