CVE-2024-6960 – ai.h2o:h2o-core

Package

Manager: maven
Name: ai.h2o:h2o-core
Vulnerable Version: >=0 <=3.46.0.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00162 pctl0.37595

Details

H2O vulnerable to Deserialization of Untrusted Data The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.

Metadata

Created: 2024-07-21T12:30:48Z
Modified: 2024-11-25T19:28:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-w36w-948j-xhfw/GHSA-w36w-948j-xhfw.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-w36w-948j-xhfw
Finding: F096
Auto approve: 1