h2o
PyPI5 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting h2opage 1 of 1
- CVE-2023-6569HIGHCVSS 8.2EG 8.2✓ Fixed in 3.46.0.12023-12-14
vulnerable: 3.10.0.10 ... 3.44.0.3 (111 versions)
External Control of File Name or Path in h2oai/h2o-3
- CVE-2024-45758CRITICALCVSS 9.1EG 9.12024-09-06
vulnerable: 3.10.0.10 ... 3.46.0.7 (118 versions)
H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with …
- CVE-2024-5550MEDIUMCVSS 5.3EG 5.32024-06-06
vulnerable: 3.10.0.10 ... 3.40.0.4 (104 versions)
In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 i…
- CVE-2024-5979HIGHCVSS 7.5EG 7.52024-06-27
vulnerable: 3.10.0.10 ... 3.44.0.3 (111 versions)
In h2oai/h2o-3 version 3.46.0, the `run_tool` command in the `rapids` component allows the `main` function of any class under the `water.tools` namespace to be called. One such class, `MojoConvertTool`, crashes the server when invoked with…
- CVE-2024-5986CRITICALCVSS 9.1EG 9.12026-02-02
vulnerable: 3.10.0.10 ... 3.46.0.1 (112 versions)
A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the `/3/Parse` endpoint to inject attacker-controlled data as the header of an empty …
Check whether h2o is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for h2o CVEs against the assets you own.
Start Free Scan →