CVE-2024-10382

There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to...

Deserialization Of Untrusted Data

H2O is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to unsafe deserialization of any class in Iced models due to a lack of a class whitelist, allowing attackers to use Java gadgets to execute arbitrary code...

H2O vulnerable to Deserialization of Untrusted Data

The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized no class whitelist. An attacker can construct ...

CVE-2024-6960

CVE-2024-6960 describes an unsafe deserialization flaw in H2O’s Iced framework: deserialized models can execute arbitrary code due to lack of a class whitelist. Public sources (including Red Hat RH/CVE and PT-Security) confirm this affects H2O, enabling potential code execution when importing cra...

CVE-2024-6960 H2O deserializes ML models without filtering, potentially allowing execution of malicious code

The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized no class whitelist. An attacker can construct ...

H2O vulnerable to Deserialization of Untrusted Data

The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized no class allowlist. An attacker can construct ...