Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
H2O deserializes ML models without filtering, potentially allowing execution of malicious code
Vulnerability Description
The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
可信数据的反序列化
Vulnerability Title
H2O 安全漏洞
Vulnerability Description
H2O是一个用于分布式、可扩展机器学习的内存平台。 H2O存在安全漏洞。攻击者利用该漏洞可以通过将精心构建的Iced模型导入到H2O平台来执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A