Количество 3
Количество 3
CVE-2024-6960
The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.
GHSA-w36w-948j-xhfw
H2O vulnerable to Deserialization of Untrusted Data
BDU:2025-02728
Уязвимость классов Iced платформы машинного обучения H2O, позволяющая нарушителю выполнить произвольный код
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | CVE-2024-6960 The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform. | CVSS3: 7.5 | 0% Низкий | больше 1 года назад |
| GHSA-w36w-948j-xhfw H2O vulnerable to Deserialization of Untrusted Data | CVSS3: 7.5 | 0% Низкий | больше 1 года назад |
 | BDU:2025-02728 Уязвимость классов Iced платформы машинного обучения H2O, позволяющая нарушителю выполнить произвольный код | CVSS3: 7.5 | 0% Низкий | больше 1 года назад |
Уязвимостей на страницу