8.2

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-8616

CVE-2024-8616: H2O Vulnerable to Arbitrary File Overwrite

In h2oai/h2o-3 version 3.46.0, the /99/Models/{name}/json endpoint allows for arbitrary file overwrite on the target server. The vulnerability arises from the exportModelDetails function in ModelsHandler.java, where the user-controllable mexport.dir parameter is used to specify the file path for writing model details. This can lead to overwriting files at arbitrary locations on the host system.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-8616

CVE-2024-8616:

8.2

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
h2o	pip	>= 3.10.4.1, <= 3.46.0
ai.h2o:h2o-core	maven	>= 3.10.4.1, <= 3.46.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (CVE-2024-8616) description explicitly states that the exportModelDetails function within h2o-core/src/main/java/water/api/ModelsHandler.java is the source of the arbitrary file overwrite. The mexport.dir parameter within the ModelExportV3 object, passed to this function, is identified as user-controllable and is used to construct the file path for exporting model details.

Analysis of the provided code for ModelsHandler.java (specifically the version linked by commit 088190f9d0370a02a483fca68d8dc89c996b4f83, which corresponds to the vulnerable version 3.46.0) confirms this. The exportModelDetails method takes a ModelExportV3 mexport object. Inside this method, mexport.dir is used with FileUtils.getURI() to create a URI, which is then used by Persist.create() to open an OutputStream. This stream is subsequently used to write the model details. Since mexport.dir is user-controlled via the /99/Models/{name}/json endpoint, an attacker can craft this parameter to point to an arbitrary file path on the server, leading to a file overwrite. The function signature water.api.ModelsHandler.exportModelDetails would appear in runtime profiles during the exploitation of this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-8616: H2O Vulnerable to Arbitrary File Overwrite

CVE-2024-8616:

8.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.2

8.2

CVE-2024-8616: H2O Vulnerable to Arbitrary File Overwrite

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI