What is CVE-2024-8862?

CVE-2024-8862 is a high-severity vulnerability in H2oai H2o-3, classified under Deserialization of Untrusted Data. CVSS score: 7.3/10. Published 2024-09-14.

How severe is CVE-2024-8862?

High severity. CVSS v3 base score is 7.3 out of 10.

Is CVE-2024-8862 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in H2oai H2o-3

CVE-2024-8862

A vulnerability, which was classified as critical, has been found in h2oai h2o-3 3.46.0.4. This issue affects the function getConnectionSafe of the file /dtale/chart-data/1 of the component JDBC Connection Handler. The manipulation of the…

Vulnerability class: Insecure Deserialization

EPSS: 0.016 (81.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L.

Affected products

H2oai H2o-3 — versions 3.46.0.4

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

References

VDB-277499 | h2oai h2o-3 JDBC Connection 1 getConnectionSafe deserialization (vdb-entry, technical-description)
VDB-277499 | CTI Indicators (IOB, IOC, IOA) (signature, permissions-required)
Submit #403200 | h2oai h2o-3 3.46.0.4 Unauthenticated Remote Code Execution via Unrestricted JDBC (third-party-advisory)
rumbling-slice-eb0.notion.site/Unauthenticated-Remote-Command-Execution-via-Pan… (exploit)

Frequently asked questions

What is CVE-2024-8862?: CVE-2024-8862 is a high-severity vulnerability in H2oai H2o-3, classified under Deserialization of Untrusted Data. CVSS score: 7.3/10. Published 2024-09-14.
How severe is CVE-2024-8862?: High severity. CVSS v3 base score is 7.3 out of 10.
Is CVE-2024-8862 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.