icon

We found results for “

CVE-2024-8616

Date: March 20, 2025

In h2oai/h2o-3 version 3.46.0, the "/99/Models/{name}/json" endpoint allows for arbitrary file overwrite on the target server. The vulnerability arises from the "exportModelDetails" function in "ModelsHandler.java", where the user-controllable "mexport.dir" parameter is used to specify the file path for writing model details. This can lead to overwriting files at arbitrary locations on the host system.

Severity Score

Severity Score

Weakness Type (CWE)

External Control of File Name or Path

CWE-73

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): LOW
Availability (A): HIGH

Do you need more information?

Contact Us