CVE-2024-6960

Name of the Vulnerable Software and Affected Versions H2O versions prior to 3.38.0

Description The H2O machine learning platform uses "Iced" classes to move Java objects around the cluster, which supports the inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized without a whitelist, allowing an attacker to construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.

Recommendations For versions prior to 3.38.0, upgrade to version 3.38.0 to prevent attackers from running arbitrary code on the system. As a temporary workaround, consider restricting the import of models to trusted sources until the upgrade is applied.