CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-8616: Arbitrary File Overwrite in h2oai/h2o-3

8.2 CVSS

Description

In h2oai/h2o-3 version 3.46.0, the `/99/Models/{name}/json` endpoint allows for arbitrary file overwrite on the target server. The vulnerability arises from the `exportModelDetails` function in `ModelsHandler.java`, where the user-controllable `mexport.dir` parameter is used to specify the file path for writing model details. This can lead to overwriting files at arbitrary locations on the host system.

Classification

CVE ID: CVE-2024-8616

CVSS Base Severity: HIGH

CVSS Base Score: 8.2

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Problem Types

CWE-73 External Control of File Name or Path

Affected Products

Vendor: h2oai

Product: h2oai/h2o-3

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.43% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-8616
https://huntr.com/bounties/aebf69a5-b9b1-4d2f-a8ff-902c11a8c97a

Timeline

2025-03-20 11:40:42 UTC
CVE

Arbitrary File Overwrite in h2oai/h2o-3