Encryption of Arbitrary Files with Attacker-Controlled Key in h2oai/h2o-3
Description
In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target server with a key of their choosing. The chosen key can also be overwritten, resulting in ransomware-like behavior. This vulnerability makes it possible for an attacker to encrypt arbitrary files with keys of their choice, making it exceedingly difficult for the target to recover the keys needed for decryption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
H2O-3 version 3.46.0 exposes an EncryptionTool endpoint allowing attackers to encrypt arbitrary files with attacker-chosen keys.
Vulnerability
Analysis
CVE-2024-6863 affects H2O-3 version 3.46.0, an open-source machine learning platform [1]. The vulnerability lies in an endpoint that exposes a custom EncryptionTool. This design flaw allows an attacker with network access to the H2O-3 instance to encrypt arbitrary files on the target server [2][3]. The attacker can specify any encryption key of their choosing, and critically, can also overwrite the key, making true recovery of the original keys all but impossible [2].
Exploitation
An attacker exploiting this vulnerability requires network access to the exposed endpoint that provides the EncryptionTool functionality. There are no authentication prerequisites mentioned; the endpoint appears to be available without proper access controls. Once accessed, the attacker can call the EncryptionTool's methods to encrypt files on the server, and the chosen encryption key can be overwritten at will, thus preventing the victim from decrypting the files [2].
Impact
The impact is ransomware-like behavior: an attacker can encrypt arbitrary files on the H2O-3 server with keys they control. Because the key can be overwritten, the victim cannot rely on a previously set key for decryption. This can lead to complete loss of data availability, and potentially integrity, for files stored on the affected server [2].
Mitigation
At the time of this writing, the official H2O-3 GitHub repository does not indicate a patched version [1]. Users of H2O-3 3.46.0 should consider restricting network access to the vulnerable endpoint or disabling the EncryptionTool if not required. Monitoring for the release of a security update from H2O.ai is recommended [1][2].
- GitHub - h2oai/h2o-3: H2O is an Open Source, Distributed, Fast & Scalable Machine Learning Platform: Deep Learning, Gradient Boosting (GBM) & XGBoost, Random Forest, Generalized Linear Modeling (GLM with Elastic Net), K-Means, PCA, Generalized Additive Models (GAM), RuleFit, Support Vector Machine (SVM), Stacked Ensembles, Automatic Machine Learning (AutoML), etc.
- NVD - CVE-2024-6863
- h2o-3/h2o-core/src/main/java/water/tools/EncryptionTool.java at a20b5b19b769866ee24b217ee78b820e64c1cd6a · h2oai/h2o-3
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
h2oPyPI | >= 3.32.1.2, <= 3.46.0 | — |
ai.h2o:h2o-coreMaven | >= 3.32.1.2, <= 3.46.0 | — |
Affected products
4- ghsa-coords2 versions
>= 3.32.1.2, <= 3.46.0+ 1 more
- (no CPE)range: >= 3.32.1.2, <= 3.46.0
- (no CPE)range: >= 3.32.1.2, <= 3.46.0
- h2oai/h2oai/h2o-3v5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.