CVE-2024-5979 Information

Description

In h2oai/h2o-3 version 3.46.0 the run_tool command in the rapids component allows the main function of any class under the water.tools namespace to be called. One such class MojoConvertTool crashes the server when invoked with an invalid argument causing a denial of service.

Reference

https://huntr.com/bounties/d80a2139-fc03-44b7-b739-de41e323b458