ai.h2o:h2o-core@0.1.25 vulnerabilities

  • latest version

    3.46.0.6

  • first published

    10 years ago

  • latest version published

    3 months ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the ai.h2o:h2o-core package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Deserialization of Untrusted Data

    Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper input validation. An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.

    How to fix Deserialization of Untrusted Data?

    There is no fixed version for ai.h2o:h2o-core.

    [0,)
    • H
    Denial Of Service

    Affected versions of this package are vulnerable to Denial Of Service through the run_tool command in the rapids component, which allows the main function of any class under the water.tools namespace to be called. An attacker can crash the server by invoking the MojoConvertTool class with an invalid argument.

    How to fix Denial Of Service?

    There is no fixed version for ai.h2o:h2o-core.

    [0,)
    • C
    External Control of File Name or Path

    Affected versions of this package are vulnerable to External Control of File Name or Path via the ImportFiles function due to improper input validation. An attacker can manipulate file paths to access or modify files outside of the intended directories by supplying crafted input.

    How to fix External Control of File Name or Path?

    Upgrade ai.h2o:h2o-core to version 3.46.0.1 or higher.

    [,3.46.0.1)
    • H
    Directory Traversal

    Affected versions of this package are vulnerable to Directory Traversal via a local file in the REST API. A remote attacker can access every file on the API server with the permissions of the user who ran the command.

    How to fix Directory Traversal?

    Upgrade ai.h2o:h2o-core to version 3.46.0.1 or higher.

    [,3.46.0.1)
    • C
    Arbitrary Code Injection

    Affected versions of this package are vulnerable to Arbitrary Code Injection through the 'import' feature. An attacker can upload and run arbitrary code, fully compromising the system with access equal to the permissions of the running h2oai process.

    How to fix Arbitrary Code Injection?

    Upgrade ai.h2o:h2o-core to version 3.46.0.1 or higher.

    [,3.46.0.1)