CVE-2024-5979

Advisory

Affected versions of H2o are vulnerable to CVE-2024-5979: The 'run_tool' command in the 'rapids' component allows the 'main' function of any class under the 'water.tools' namespace to be called. One such class, 'MojoConvertTool', crashes the server when invoked with an invalid argument, causing a denial of service.
The vulnerable code is found in /h2o/backend/bin/h2o.jar

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://huntr.com/bounties/d80a2139-fc03-44b7-b739-de41e323b458
• https://github.com/advisories/GHSA-58m3-rcvp-f9ww
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5979
• https://github.com/h2oai/h2o-3/issues/16351