| Title | h2oai h2o-3 <=v3.46.08 Deserialization |
|---|
| Description | In H2O-3, the existing JDBC deserialization defense mechanisms only cover MySQL and H2 drivers. However, since H2O-3 is designed to support importing SQL tables from multiple database sources, when IBM DB2 is used as the database backend, it becomes possible to exploit JDBC deserialization, leading to remote code execution (RCE). |
|---|
| Source | ⚠️ https://github.com/ez-lbz/poc/issues/50 |
|---|
| User | ez-lbz (UID 87033) |
|---|
| Submission | 09/06/2025 12:09 (9 months ago) |
|---|
| Moderation | 09/21/2025 10:16 (15 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 325124 [h2oai h2o-3 up to 3.46.08 IBMDB2 JDBC Driver /99/ImportSQLTable connection_url deserialization] |
|---|
| Points | 18 |
|---|