CVE-2024-6854
CVE-2024-6854 affects h2oai/h2o-3 (v3.46.0). The export-model endpoint does not restrict the destination path, enabling an attacker to export a model to arbitrary locations on the server’s filesystem and overwrite files. The overwrite target content is not controllable by the attacker, but the at...