ai.h2o:h2o-core 3.46.0.7 vulnerabilities

Known vulnerabilities in the ai.h2o:h2o-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Improper Handling of Highly Compressed Data (Data Amplification) Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to the improper handling of highly compressed data. An attacker can cause the server to become unresponsive and exhaust system memory by uploading and repeatedly parsing a large GZIP file. How to fix Improper Handling of Highly Compressed Data (Data Amplification)? There is no fixed version for `ai.h2o:h2o-core`.	[3.32.1.2,)
H Regular Expression Denial of Service (ReDoS) Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the `/3/ParseSetup` endpoint. An attacker can cause inefficient regular expression complexity, leading to the exhaustion of server resources and making the server unresponsive by applying a user-specified regular expression to a user-controllable string. How to fix Regular Expression Denial of Service (ReDoS)? There is no fixed version for `ai.h2o:h2o-core`.	[3.30.0.7,)
H Regular Expression Denial of Service (ReDoS) Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the `/3/Parse` endpoint. An attacker can exhaust all available threads, leading to a complete denial of service by sending multiple simultaneous requests. How to fix Regular Expression Denial of Service (ReDoS)? There is no fixed version for `ai.h2o:h2o-core`.	[0,)
M Exposed Dangerous Method or Function Affected versions of this package are vulnerable to Exposed Dangerous Method or Function through the `EncryptionTool` endpoint. An attacker can encrypt arbitrary files on the target server with a key of their choosing, making it exceedingly difficult for the target to recover the keys needed for decryption. How to fix Exposed Dangerous Method or Function? There is no fixed version for `ai.h2o:h2o-core`.	[0,)
H Directory Traversal Affected versions of this package are vulnerable to Directory Traversal via the endpoint for exporting models. An attacker can overwrite any file on the target server by exporting a model to any file in the server's file structure. Note: This vulnerability requires there to be a model that is available for export. In usual instances of `h2o-3` there are probably some models in memory from regular use. How to fix Directory Traversal? There is no fixed version for `ai.h2o:h2o-core`.	[0,)
H Denial of Service (DoS) Affected versions of this package are vulnerable to Denial of Service (DoS) via the `/3/ImportFiles` endpoint. An attacker can cause the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests by recursively setting the `path` parameter to reference itself. How to fix Denial of Service (DoS)? There is no fixed version for `ai.h2o:h2o-core`.	[0,)
H Synchronous Access of Remote Resource without Timeout Affected versions of this package are vulnerable to Synchronous Access of Remote Resource without Timeout via the typeahead endpoint due to lacking timeout when checking that a specified resource exists. An attacker can cause the application to block and become unresponsive to other requests by sending multiple requests to an attacker-controlled server that hangs. How to fix Synchronous Access of Remote Resource without Timeout? There is no fixed version for `ai.h2o:h2o-core`.	[0,)
H Deserialization of Untrusted Data Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper input validation. An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform. How to fix Deserialization of Untrusted Data? There is no fixed version for `ai.h2o:h2o-core`.	[0,)

Vulnerability

Vulnerable Version

Improper Handling of Highly Compressed Data (Data Amplification)

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to the improper handling of highly compressed data. An attacker can cause the server to become unresponsive and exhaust system memory by uploading and repeatedly parsing a large GZIP file.

How to fix Improper Handling of Highly Compressed Data (Data Amplification)?

There is no fixed version for ai.h2o:h2o-core.

[3.32.1.2,)

Regular Expression Denial of Service (ReDoS)

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the /3/ParseSetup endpoint. An attacker can cause inefficient regular expression complexity, leading to the exhaustion of server resources and making the server unresponsive by applying a user-specified regular expression to a user-controllable string.

How to fix Regular Expression Denial of Service (ReDoS)?

There is no fixed version for ai.h2o:h2o-core.

[3.30.0.7,)

Regular Expression Denial of Service (ReDoS)

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the /3/Parse endpoint. An attacker can exhaust all available threads, leading to a complete denial of service by sending multiple simultaneous requests.

How to fix Regular Expression Denial of Service (ReDoS)?

There is no fixed version for ai.h2o:h2o-core.

[0,)

Exposed Dangerous Method or Function

Affected versions of this package are vulnerable to Exposed Dangerous Method or Function through the EncryptionTool endpoint. An attacker can encrypt arbitrary files on the target server with a key of their choosing, making it exceedingly difficult for the target to recover the keys needed for decryption.

How to fix Exposed Dangerous Method or Function?

There is no fixed version for ai.h2o:h2o-core.

[0,)

Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal via the endpoint for exporting models. An attacker can overwrite any file on the target server by exporting a model to any file in the server's file structure.

Note:

This vulnerability requires there to be a model that is available for export. In usual instances of h2o-3 there are probably some models in memory from regular use.

How to fix Directory Traversal?

There is no fixed version for ai.h2o:h2o-core.

[0,)

Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) via the /3/ImportFiles endpoint. An attacker can cause the server to repeatedly call its own endpoint, eventually filling up the request queue and leaving the server unable to handle other requests by recursively setting the path parameter to reference itself.

How to fix Denial of Service (DoS)?

There is no fixed version for ai.h2o:h2o-core.

[0,)

Synchronous Access of Remote Resource without Timeout

Affected versions of this package are vulnerable to Synchronous Access of Remote Resource without Timeout via the typeahead endpoint due to lacking timeout when checking that a specified resource exists. An attacker can cause the application to block and become unresponsive to other requests by sending multiple requests to an attacker-controlled server that hangs.

How to fix Synchronous Access of Remote Resource without Timeout?

There is no fixed version for ai.h2o:h2o-core.

[0,)

Deserialization of Untrusted Data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper input validation. An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.

How to fix Deserialization of Untrusted Data?

There is no fixed version for ai.h2o:h2o-core.

[0,)

ai.h2o:h2o-core@3.46.0.7 vulnerabilities

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?