H2O Unauthenticated RCE via Unrestricted JDBC URL Injection Leading to Deserialization and Command Execution

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. **Vulnerability Type**: Unauthenticated Remote Code Execution (RCE). 2. **Vulnerability Description**: H2O uses the `getConnectionSafe` method, intended to establish a secure connection. However, in practice, there are no restrictions on JDBC connection settings, allowing attackers to arbitrarily set the JDBC URL. This may lead to risks such as deserialization attacks, file reading, and command execution. 3. **Code Example**: ```java public static Connection getConnectionSafe(String url, String username, String password) throws SQLException { initializeDatabaseDriver(getDatabaseType(url)); try { return DriverManager.getConnection(url, username, password); } catch (NoClassDefFoundError e) { throw new RuntimeException("Failed to get database connection, probably due to using thin jdbc driver jar.", e); } } ``` 4. **Risk**: This code may enable malicious JDBC connections, posing a Remote Code Execution (RCE) risk to SQL drivers such as MySQL, PostgreSQL, and Derby. 5. **Trigger Method**: Even within `org.h2.Driver`, command execution can be triggered by sending the following JDBC URL via the script system: ```sql jdbc:h2:mem:testdb;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE ``` This information indicates that the vulnerability allows attackers to execute arbitrary code through unrestricted JDBC connections, posing a severe threat to the target server.

Goal Reached Thanks to every supporter — we hit 100%!

H2O Unauthenticated RCE via Unrestricted JDBC URL Injection Leading to Deserialization and Command Execution