← voltar
CVE-2024-6960

H2O deserializes ML models without filtering, potentially allowing execution of malicious code

CVSS 7.5 HIGHEPSS 0.6%CWE-502
The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Produtos afetados
ai.h2o:h2o-core

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://mvnrepository.com/artifact/ai.h2o/h2o-corehttps://research.jfrog.com/vulnerabilities/h2o-model-deserialization-rce-jfsa-2024-001035518/