There exists jdbc deserialization vuls in h2o-3 REST API. Unauthenticated, remote, no user interaction. Although the basic usage is java -jar h2o.jar without other libs, the document clearly claims support for JDBC, including mysql, postgres and others. We can also see help info for mysql-connector and test using mysql-connector, so it might be common to use h2o-3 with these sql-driver libs.I found two api endpoints by which I can control the jdbc url in paramsPOST /99/ImportSQLTablePOST /3/SaveToHiveTableIt will be passed to DriverManager.getConnection(sink, ...) finally, leading to deserialization if mysql or pgsql driver is available in classpath. I use jackson-databind:2.16.1 for deserialization gadget, available in h2o-3 3.46.0.4.
There exists jdbc deserialization vuls in h2o-3 REST API. Unauthenticated, remote, no user interaction. Although the basic usage is java -jar h2o.jar without other libs, the document clearly claims support for JDBC, including mysql, postgres and others. We can also see help info for mysql-connector and test using mysql-connector, so it might be common to use h2o-3 with these sql-driver libs.I found two api endpoints by which I can control the jdbc url in paramsPOST /99/ImportSQLTablePOST /3/SaveToHiveTableIt will be passed to DriverManager.getConnection(sink, ...) finally, leading to deserialization if mysql or pgsql driver is available in classpath. I use jackson-databind:2.16.1 for deserialization gadget, available in h2o-3 3.46.0.4.
