H2O.ai H2O-3 Model Export Overwrite Vulnerability

Vulnerability

A vulnerability in H2O.ai H2O-3 version 3.46.0 allows unauthorized file overwriting on the server through the model export feature. The endpoint does not limit the export destination, enabling an attacker to replace any file in the server's file system with a trained model file. However, the attacker cannot control the content of the overwritten file.

Impact

Exploitation of this vulnerability could lead to arbitrary file overwriting on the server, potentially disrupting services or causing data loss.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.5

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.5

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

H2O.ai H2O-3 Model Export Overwrite Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating