Last active
October 10, 2024 14:31
-
-
Save AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb to your computer and use it in GitHub Desktop.
CVE-2024-45758
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## CVE-2024-45758: Unauthenticated Remote Code Execution via Unrestricted JDBC Connection | |
| ### Description | |
| H2O.ai H2O version 3.46.0.4 contains a vulnerability that allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation occurs when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload, such as one that uses queryInterceptors. | |
| Despite the use of the `getConnectionSafe` method by H2O, which appears to be intended to establish a secure connection, no restrictions are placed on the JDBC connection settings. This allows attackers to set the JDBC URL arbitrarily, leading to potential deserialization attacks, file reads, command execution, and other risks on the victim's server. | |
| ### Vulnerability Type | |
| - Unauthenticated Remote Code Execution via Unrestricted JDBC Connection | |
| ### Affected Product Code Base | |
| - H2O.ai H2O-3 <= 3.46.0.4 (latest) | |
| ### Affected Component | |
| - H2O-3 | |
| ### Attack Type | |
| - Remote | |
| ### Impact | |
| - Code Execution | |
| ### Attack Vectors | |
| - Network | |
| ### Reference | |
| - [Spear Shield Notion](https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068) | |
| ### Discoverer | |
| - Aftersnows,Gxh191,Hrp |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment