Attackers Can Use Crafted Iced Models to Execute Arbitrary Code on H2O Platform
CVE-2024-6960

Currently unrated

Key Information:

Vendor

H2O

Vendor
CVE Published:
21 July 2024

Badges

đź“° News Worthy

What is CVE-2024-6960?

The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.

News Articles

favicon imageantihackingonline.com

Application Development | Cyber security technical information

Preface: Android frameworks deliver an environment where you already have access to libraries, best practices, and extensive help documentation. As a matter of fact, there are well over ten android...

References

https://research.jfrog.com/vulnerabilities/h2o-model-dese...

Timeline

  • đź“°

    First article discovered by antihackingonline.com

  • Vulnerability published

.
CVE-2024-6960 : Attackers Can Use Crafted Iced Models to Execute Arbitrary Code on H2O Platform