CVE-2024-6863

Medium CVSS: 6.5

In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target server with a key of their choosing. The chosen key can also be overwritten, resulting in ransomware-like behavior. This vulnerability makes it possible for an attacker to encrypt arbitrary files with keys of their choice, making it exceedingly difficult for the target to recover the keys needed for decryption.

Vendor

H2o

Product

H2o

CWE

CWE-749

Yayın Tarihi

2025-03-20 10:15:34

Güncelleme

2025-07-15 15:52:34

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-749 H2o MEDIUM H2o 2025

Referanslar

https://huntr.com/bounties/10f55937-0cba-4530-897f-2abf30ed5270

Benzer Kayıtlar

High

CVE-2025-61684

Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a…

Medium

CVE-2025-10768

A flaw has been found in h2oai h2o-3 up to 3.46.08. The impacted element is an unknown function of the file /99/ImportSQ…

Medium

CVE-2025-10769

A vulnerability has been found in h2oai h2o-3 up to 3.46.08. This affects an unknown function of the file /99/ImportSQLT…

Critical

CVE-2025-6544

A deserialization vulnerability exists in h2oai/h2o-3 versions

High

CVE-2024-8616

In h2oai/h2o-3 version 3.46.0, the `/99/Models/{name}/json` endpoint allows for arbitrary file overwrite on the target s…

High

CVE-2024-8062

A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint per…