| ଶୀର୍ଷକ | h2oai h2o-3 3.46.0.4 Unauthenticated Remote Code Execution via Unrestricted JDBC |
|---|
| ବର୍ଣ୍ଣନା | Due to H2O using the getConnectionSafe method, it appears that the intention was to establish a secure connection. However, in practice, no restrictions are placed on the JDBC connection settings, allowing attackers to arbitrarily set the JDBC URL. This can lead to deserialization attacks, file reads, command execution, and other risks on the victim's server. |
|---|
| ଉତ୍ସ | ⚠️ https://rumbling-slice-eb0.notion.site/Unauthenticated-Remote-Command-Execution-via-Panda-df-query-9dc40f0477ee4b65806de7921876c222?pvs=4 |
|---|
| ଉପଭୋକ୍ତା | aftersnow (UID 71336) |
|---|
| ଦାଖଲ | 09/05/2024 02:20 PM (1 ବର୍ଷ ago) |
|---|
| ମଧ୍ୟମ ଧରଣର | 09/14/2024 07:34 AM (9 days later) |
|---|
| ସ୍ଥିତି | ଗ୍ରହଣ କରାଯାଇଛି |
|---|
| VulDB ଏଣ୍ଟ୍ରି | 277499 [h2oai h2o-3 3.46.0.4 JDBC Connection /dtale/chart-data/1 getConnectionSafe ପ୍ରଶ୍ନ ବିସ୍ତାରିତ ଅଧିକାର] |
|---|
| ପଏଣ୍ଟ | 15 |
|---|