CVE-2024-45758 – This vulnerability in H2O.ai H2O allows attacke... (How to Fix)

Q: What is the severity of CVE-2024-45758?

CVE-2024-45758 has a CVSS score of 9.1 (CRITICAL). This vulnerability in H2O.ai H2O allows attackers to set arbitrary JDBC URLs, leading to deserialization attacks, file reads, and remote code execution. Attackers can exploit this by posting malicious JSON to the ImportSQLTable endpoint. All H2O installations through version 3.46.0.4 are affected.

📋 TL;DR

This vulnerability in H2O.ai H2O allows attackers to set arbitrary JDBC URLs, leading to deserialization attacks, file reads, and remote code execution. Attackers can exploit this by posting malicious JSON to the ImportSQLTable endpoint. All H2O installations through version 3.46.0.4 are affected.

💻 Affected Systems

Products:

H2O.ai H2O

Versions: through 3.46.0.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any H2O installation with the ImportSQLTable endpoint accessible is vulnerable.

📦 What is this software?

H2o by H2o

View all CVEs affecting H2o →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with unauthenticated remote code execution, allowing attackers to execute arbitrary commands, read sensitive files, and potentially pivot to other systems.

🟠

Likely Case

Remote code execution leading to data theft, system compromise, and potential ransomware deployment.

🟢

If Mitigated

Limited impact if network segmentation and access controls prevent unauthorized access to the H2O interface.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires access to post to the ImportSQLTable URI but does not require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Upgrade to a version beyond 3.46.0.4 when released.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to H2O instances to only trusted IP addresses.

Use firewall rules to limit access: iptables -A INPUT -p tcp --dport [H2O_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [H2O_PORT] -j DROP

Disable ImportSQLTable Endpoint

all

Remove or disable the vulnerable ImportSQLTable endpoint if not needed.

Modify H2O configuration to disable the endpoint or implement reverse proxy rules to block /ImportSQLTable

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to isolate H2O instances
Deploy web application firewall (WAF) rules to block malicious JDBC URL patterns

🔍 How to Verify

Check if Vulnerable:

Check if H2O version is 3.46.0.4 or earlier and if ImportSQLTable endpoint is accessible.

Check Version:

Check H2O version via web interface or configuration files.

Verify Fix Applied:

Verify H2O version is beyond 3.46.0.4 when patch is released.

📡 Detection & Monitoring

Log Indicators:

POST requests to /ImportSQLTable with JSON containing connection_url
Unusual JDBC connection attempts or errors

Network Indicators:

HTTP POST to ImportSQLTable endpoint with JSON payloads
Outbound connections to unusual JDBC servers

SIEM Query:

source="h2o.log" AND "POST /ImportSQLTable" AND "connection_url"

📊 Metadata

CVE ID: CVE-2024-45758

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-502

Published: September 6, 2024

Last Updated: September 29, 2025

🔗 References

https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb Third Party Advisory
https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45758, you might also want to check these: