Advisories for Maven/Ai.h2o/H2o-Core package

2024

H2O vulnerable to Deserialization of Untrusted Data

The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class allowlist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.

2023

S3 Bucket can lead to spread of malicious R package

H2O included a reference to an S3 bucket that no longer existed allowing an attacker to take over the S3 bucket URL.

Missing Authorization

An attacker is able to read any file on the server hosting the H2O dashboard without any authentication.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

H2O is vulnerable to stored XSS vulnerability which can lead to a Local File Include attack.

Improper Control of Generation of Code ('Code Injection')

An attacker is able to gain remote code execution on a server hosting the H2O dashboard through it's POJO model import feature.