How severe is CVE-2024-45758?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2024-45758?

This is classified as CWE-502, which is a common weakness in software security.

CVE-2024-45758 - CRITICAL Severity | CVSS 9.1

Vulnerability Description

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors.

Related Vulnerabilities

CVE-2016-3415

CRITICAL

CVSS:9.1(Critical)

Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276.

CWE-5022016

CVE-2016-6793

CRITICAL

CVSS:9.1(Critical)

The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the per...

CWE-5022016

CVE-2020-11467

CRITICAL

CVSS:9.1(Critical)

An issue was discovered in Deskpro before 2019.8.0. This product enables administrators to modify the helpdesk interface by editing /portal/api/style/edit-theme-set/template-sources theme templates, a...

CWE-5022020

CVE-2020-6219

CRITICAL

CVSS:9.1(Critical)

SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), versions 4.1, 4.2, and Crystal Reports for VS version 2010, allows an attacker with basic authorization to perform ...

CWE-5022020

CVE-2021-21342

CRITICAL

CVSS:9.1(Critical)

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type informat...

CWE-5022021

CVE-2021-29508

CRITICAL

CVSS:9.1(Critical)

Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information abo...

CWE-5022021