📦 H2o

A critical deserialization vulnerability in h2oai/h2o-3 allows attackers to bypass security checks using double URL encoding, enabling arbitrary file reading and remote code execution. All users runni...

This vulnerability allows unauthenticated remote attackers to execute arbitrary code on H2O-3 machine learning platforms by exploiting insecure deserialization in REST API endpoints. Attackers can ach...

This vulnerability in H2O.ai H2O allows attackers to set arbitrary JDBC URLs, leading to deserialization attacks, file reads, and remote code execution. Attackers can exploit this by posting malicious...

CVE-2023-6016 allows remote attackers to execute arbitrary code on H2O dashboard servers through insecure deserialization in the POJO model import feature. This affects any organization using vulnerab...

This vulnerability allows authenticated attackers to overwrite arbitrary files on the server hosting H2O-3 version 3.46.0. Attackers can exploit the /99/Models/{name}/json endpoint to write malicious ...

This vulnerability in h2oai/h2o-3 version 3.46.0 allows attackers to cause denial of service by exploiting the typeahead endpoint's lack of timeout on HEAD requests. Attackers can send requests to con...

A denial-of-service vulnerability in h2o-3's ImportFiles endpoint allows attackers to recursively call the endpoint via the 'path' parameter, filling the request queue and making the server unresponsi...

This vulnerability in h2oai/h2o-3 allows attackers to cause denial of service by uploading specially crafted large GZIP files. The server becomes unresponsive due to memory exhaustion and excessive co...

This vulnerability in h2oai/h2o-3 version 3.46.0 allows attackers to export trained models to arbitrary locations on the server's filesystem, overwriting existing files. While attackers cannot control...

This vulnerability in h2oai/h2o-3 version 3.46.0 allows attackers to call the main function of any class under the water.tools namespace via the run_tool command. Specifically, invoking MojoConvertToo...

This CVE describes an S3 bucket takeover vulnerability in the h2oai/h2o-3 repository where the 'http://s3.amazonaws.com/h2o-training' bucket was vulnerable to unauthorized takeover. This allows attack...

This vulnerability in h2oai/h2o-3 allows attackers to control file paths used by the application, potentially leading to arbitrary file writes or reads. It affects users of the h2o-3 machine learning ...

This vulnerability in H2O allows attackers to take over S3 bucket URLs by exploiting a reference to a bucket that no longer exists. This affects systems using H2O with S3 bucket configurations. Attack...

This vulnerability in h2oai h2o-3 allows remote attackers to execute arbitrary code through deserialization attacks via the H2 JDBC Driver's connection_url parameter. It affects all systems running h2...

This vulnerability in h2oai/h2o-3 version 3.46.0 exposes an endpoint that allows attackers to encrypt arbitrary files on the server with custom keys, which can then be overwritten, creating ransomware...

This vulnerability in h2oai/h2o-3 version 3.40.0.4 allows remote attackers to view the entire filesystem path structure where the application is hosted. Any remote user can exploit this via the Typeah...