High severity7.5GHSA Advisory· Published Jul 21, 2024· Updated Apr 15, 2026
CVE-2024-6960
CVE-2024-6960
Description
The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ai.h2o:h2o-coreMaven | <= 3.46.0.4 | — |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-w36w-948j-xhfwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-6960ghsaADVISORY
- mvnrepository.com/artifact/ai.h2o/h2o-corenvdWEB
- research.jfrog.com/vulnerabilities/h2o-model-deserialization-rce-jfsa-2024-001035518ghsaWEB
- research.jfrog.com/vulnerabilities/h2o-model-deserialization-rce-jfsa-2024-001035518/nvd
News mentions
0No linked articles in our index yet.