Description

In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a model to any file in the server's file structure, thereby overwriting it. This vulnerability can be exploited to overwrite any file on the target server with a trained model file, although the content of the overwrite is not controllable by the attacker.

INFO

Published Date :

2025-03-20T10:09:57.301Z

Last Modified :

2025-03-20T18:32:31.810Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-6854 vulnerability.

Vendors Products
H2o
  • H2o
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-6854.

URL Resource
https://huntr.com/bounties/97d013f9-ac51-4c80-8dd7-8dfde11f33b2 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact