| 제목 | h2oai h2o-3 <=v3.46.08 Deserialization |
|---|
| 설명 | In H2O-3, the existing JDBC deserialization defense mechanisms only cover MySQL and H2 drivers. However, since H2O-3 is designed to support importing SQL tables from multiple database sources, when IBM DB2 is used as the database backend, it becomes possible to exploit JDBC deserialization, leading to remote code execution (RCE). |
|---|
| 원천 | ⚠️ https://github.com/ez-lbz/poc/issues/50 |
|---|
| 사용자 | ez-lbz (UID 87033) |
|---|
| 제출 | 2025. 09. 06. PM 12:09 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 09. 21. AM 10:16 (15 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 325124 [h2oai h2o-3 까지 3.46.08 IBMDB2 JDBC Driver /99/ImportSQLTable connection_url 권한 상승] |
|---|
| 포인트들 | 18 |
|---|