CVE-2025-10768

Medium CVSS: 5.3

A flaw has been found in h2oai h2o-3 up to 3.46.08. The impacted element is an unknown function of the file /99/ImportSQLTable of the component IBMDB2 JDBC Driver. This manipulation of the argument connection_url causes deserialization. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Vendor

H2o

Product

H2o

CWE

CWE-20

Yayın Tarihi

2025-09-21 10:15:48

Güncelleme

2025-10-08 20:04:01

Source Identifier

cna@vuldb.com

KEV Date Added

Kategoriler

CWE-20 H2o MEDIUM H2o 2025

Referanslar

https://github.com/ez-lbz/poc/issues/50 https://github.com/ez-lbz/poc/issues/50#issue-3389830879 https://vuldb.com/?ctiid.325124 https://vuldb.com/?id.325124 https://vuldb.com/?submit.649508 https://github.com/ez-lbz/poc/issues/50 https://github.com/ez-lbz/poc/issues/50#issue-3389830879

Benzer Kayıtlar

High

CVE-2025-61684

Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a…

Medium

CVE-2025-10769

A vulnerability has been found in h2oai h2o-3 up to 3.46.08. This affects an unknown function of the file /99/ImportSQLT…

Critical

CVE-2025-6544

A deserialization vulnerability exists in h2oai/h2o-3 versions

High

CVE-2024-8616

In h2oai/h2o-3 version 3.46.0, the `/99/Models/{name}/json` endpoint allows for arbitrary file overwrite on the target s…

High

CVE-2024-8062

A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint per…

High

CVE-2024-7768

A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of s…