CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5979 – Denial of Service via Invalid Argument in h2oai/h2o-3
https://notcve.org/view.php?id=CVE-2024-5979
27 Jun 2024 — In h2oai/h2o-3 version 3.46.0, the `run_tool` command in the `rapids` component allows the `main` function of any class under the `water.tools` namespace to be called. One such class, `MojoConvertTool`, crashes the server when invoked with an invalid argument, causing a denial of service. • https://huntr.com/bounties/d80a2139-fc03-44b7-b739-de41e323b458 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5550 – Exposure of Sensitive Information via Arbitrary System Path Lookup in h2oai/h2o-3
https://notcve.org/view.php?id=CVE-2024-5550
06 Jun 2024 — In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vulnerability allows any remote user to view full paths in the entire file system where h2o-3 is hosted. Specifically, the issue resides in the Typeahead API call, which when requested with a typeahead lookup of '/', exposes the root filesystem including directories such as /home, /usr, /bin, among others. This vulnerability could allow attackers to explore the enti... • https://huntr.com/bounties/e76372c2-39be-4984-a7c8-7048a75a25dc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •