We use cookies to improve your experience on our site.
AVID-2026-R1533
Description
Vulnerability CVE-2024-45758
Details
H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors.
Reason for inclusion in AVID: The CVE describes a vulnerability in H2O.ai H2O (an ML/AI platform) that allows deserialization-based arbitrary code execution via an unsecured JDBC URL, affecting file reads and command execution. H2O is a component commonly used in AI model training, serving, and data pipelines, meaning this vulnerability can impact AI software stacks and their dependencies. As such, it is a software supply-chain issue within general-purpose AI systems and poses a security risk. The CVE description provides explicit exploitation and impact signals, supporting its inclusion in AVID curation.
References
- NVD entry
- https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068
- https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | n/a |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-09-06
- Version: 0.3.3
- AVID Entry