Home » Database

AVID-2026-R1370

Description

Jdbc Deserialization in h2oai/h2o-3 (CVE-2024-10553)

Details

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0.

Reason for inclusion in AVID: The CVE pertains to h2o-3, a machine learning framework used in AI pipelines. The vulnerability enables unauthenticated remote code execution via deserialization in the ML software stack, affecting components used to build/deploy AI systems (model training/serving, data pipelines). This is a software supply-chain issue within AI software stacks. The report provides explicit vulnerability details and a fix version, including CVSS metrics and affected endpoints, satisfying evidence requirements.

References

Affected or Relevant Artifacts

  • Developer: h2oai
  • Deployer: h2oai
  • Artifact Details:
TypeName
Systemh2oai/h2o-3

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.0
Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score9.8
Base Severity🔴 Critical
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity Impact🔴 High
Availability Impact🔴 High

CWE

IDDescription
CWE-502CWE-502 Deserialization of Untrusted Data

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2025-03-20
  • Version: 0.3.3
  • AVID Entry