CVE-2024-8616 — H2O Vulnerable to Arbitrary File Overwrite

Description

In h2oai/h2o-3 version 3.46.0, the `/99/Models/{name}/json` endpoint allows for arbitrary file overwrite on the target server. The vulnerability arises from the `exportModelDetails` function in `ModelsHandler.java`, where the user-controllable `mexport.dir` parameter is used to specify the file path for writing model details. This can lead to overwriting files at arbitrary locations on the host system.

How to fix CVE-2024-8616

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed

Is CVE-2024-8616 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 3.10.4.1, <= 3.46.0
>= 3.10.4.1, <= 3.46.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.2	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-8616
PATCHgithub.com/h2oai/h2o-3
WEBgithub.com/h2oai/h2o-3/blob/088190f9d0370a02a483fca68d8dc89c996b4f83/h2o-core/src/main/java/water/api/ModelsHandler.java#L310
WEBhuntr.com/bounties/aebf69a5-b9b1-4d2f-a8ff-902c11a8c97a