Headline

GHSA-5w3j-gwgh-4rfv: H2O affected by a deserialization vulnerability

A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.7, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.

6 hours ago

ghsa

Open in Source

#vulnerability #auth

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

ghsa: Latest News

GHSA-7rcc-q6rq-jpcm: DNN affected by Stored Cross-Site Scripting (XSS) in Profile Biography field

3 hours ago

ghsa

GHSA-wq2j-w9pm-7x2p: DNN allows loading unused themes on anonymous clients through query parameters

4 hours ago

ghsa

GHSA-vh3f-qppr-j97f: Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink

4 hours ago

ghsa

GHSA-jh9h-8xf2-25wj: Liferay has a stored cross-site scripting (XSS) vulnerability via a a publication’s “Name” text field

6 hours ago

ghsa

GHSA-5w3j-gwgh-4rfv: H2O affected by a deserialization vulnerability

6 hours ago

ghsa