GHSA-m37h-8r48-2cxj

Source

https://github.com/advisories/GHSA-m37h-8r48-2cxj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-m37h-8r48-2cxj/GHSA-m37h-8r48-2cxj.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-m37h-8r48-2cxj

Aliases

CVE-2024-6863

Published

2025-03-20T12:32:45Z

Modified

2025-03-20T20:12:22.077890Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator

Summary

H2O Vulnerable to Execution of Arbitrary Files

Details

In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target server with a key of their choosing. The chosen key can also be overwritten, resulting in ransomware-like behavior. This vulnerability makes it possible for an attacker to encrypt arbitrary files with keys of their choice, making it exceedingly difficult for the target to recover the keys needed for decryption.

Database specific

{
    "nvd_published_at": "2025-03-20T10:15:34Z",
    "cwe_ids": [
        "CWE-749"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-20T19:46:49Z"
}

References

Affected packages

PyPI / h2o

Package

Name: h2o; View open source insights on deps.dev
Purl: pkg:pypi/h2o

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.32.1.2

Last affected

3.46.0

Affected versions

3.*

3.32.1.2

3.32.1.3

3.32.1.4

3.32.1.5

3.32.1.6

3.32.1.7

3.34.0.3

3.34.0.7

3.34.0.8

3.36.0.2

3.36.0.3

3.36.0.4

3.36.1.1

3.36.1.2

3.36.1.3

3.36.1.4

3.36.1.5

3.38.0.1

3.38.0.2

3.38.0.3

3.38.0.4

3.40.0.1

3.40.0.2

3.40.0.3

3.40.0.4

3.42.0.1

3.42.0.2

3.42.0.3

3.42.0.4

3.44.0.1

3.44.0.2

3.44.0.3

Maven / ai.h2o:h2o-core