Attackers Can Use Crafted Iced Models to Execute Arbitrary Code on H2O Platform
CVE-2024-6960

Currently unrated

Key Information:

Vendor: H2O
Vendor: CVE Published:; 21 July 2024

Badges

📰 News Worthy

Summary

The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.

News Articles

antihackingonline.com

CVE-2024-34731 CVE-2024-6960

Application Development | Cyber security technical information

Preface: Android frameworks deliver an environment where you already have access to libraries, best practices, and extensive help documentation. As a matter of fact, there are well over ten android...

1 week ago

References

https://research.jfrog.com/vulnerabilities/h2o-model-dese...

Timeline

📰
First article discovered by antihackingonline.com
Feb 28, 2025
Vulnerability published
Jul 21, 2024