Home > Vulnerability Database > CVE-2024-6960

Mend.io Vulnerability Database

CVE-2024-6960

Date: July 21, 2024

The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.

Language: Java

Severity Score

7.5

Related Resources (5)

Url: https://github.com/h2oai/h2o-3

Url: https://research.jfrog.com/vulnerabilities/h2o-model-deserialization-rce-jfsa-2024-001035518

Url: https://research.jfrog.com/vulnerabilities/h2o-model-deserialization-rce-jfsa-2024-001035518/

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-6960

Url: https://www.mend.io/vulnerability-database/CVE-2024-6960

Severity Score

7.5

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-6960

Date: July 21, 2024

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?