Lucene search

@huntr_aiCVELIST:CVE-2023-6016

HistoryNov 16, 2023 - 4:06 p.m.

CVE-2023-6016 H2O Remote Code Execution via POJO Model Import

2023-11-1616:06:24

CWE-94

@huntr_ai

www.cve.org

cve-2023-6016

h2o

remote code execution

pojo model import

server hosting

dashboard

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.2%

JSON

An attacker is able to gain remote code execution on a server hosting the H2O dashboard through it’s POJO model import feature.

CNA Affected

[
  {
    "vendor": "h2oai",
    "product": "h2oai/h2o-3",
    "versions": [
      {
        "version": "unspecified",
        "status": "affected",
        "versionType": "custom",
        "lessThanOrEqual": "latest"
      }
    ]
  }
]

References

huntr.com/bounties/83dd17ec-053e-453c-befb-7d6736bf1836

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.2%

JSON

Related for CVELIST:CVE-2023-6016