GHSA-wjpv-64v2-2qpq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wjpv-64v2-2qpq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-wjpv-64v2-2qpq/GHSA-wjpv-64v2-2qpq.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-wjpv-64v2-2qpq
- Aliases
-
- CVE-2024-10572
- Published
- 2025-03-20T12:32:39Z
- Modified
- 2025-03-20T19:30:37.446699Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- H2O Vulnerable to Denial of Service (DoS) and File Write
- Details
-
In h2oai/h2o-3 version 3.46.0.1, the
run_toolcommand exposes classes in thewater.toolspackage through theastparser. This includes theXGBoostLibExtractToolclass, which can be exploited to shut down the server and write large files to arbitrary directories, leading to a denial of service. - Database specific
{ "nvd_published_at": "2025-03-20T10:15:17Z", "cwe_ids": [ "CWE-400" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-03-20T19:13:16Z" }- References
Affected packages
PyPI / h2o
Package
- Name
- h2o
- View open source insights on deps.dev
- Purl
- pkg:pypi/h2o
Maven / ai.h2o:h2o-ext-xgboost
Package
- Name
- ai.h2o:h2o-ext-xgboost
- View open source insights on deps.dev
- Purl
- pkg:maven/ai.h2o/h2o-ext-xgboost
Affected versions
3.*
3.34.0.1
3.34.0.3
3.34.0.4
3.34.0.5
3.34.0.6
3.34.0.7
3.34.0.8
3.35.0.2
3.36.0.1
3.36.0.2
3.36.0.3
3.36.0.4
3.36.1.1
3.36.1.2
3.36.1.3
3.36.1.4
3.36.1.5
3.38.0.1
3.38.0.2
3.38.0.3
3.38.0.4
3.40.0.1
3.40.0.2
3.40.0.3
3.40.0.4
3.42.0.1
3.42.0.2
3.42.0.3
3.42.0.4
3.44.0.1
3.44.0.2
3.44.0.3
3.46.0.1