Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/730193?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/730193?format=api", "purl": "pkg:maven/ai.h2o/h2o-core@0.1.3", "type": "maven", "namespace": "ai.h2o", "name": "h2o-core", "version": "0.1.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/40565?format=api", "vulnerability_id": "VCID-b1re-5nwx-wfb2", "summary": "H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connection_url property with any typical JDBC Connection URL attack payload such as one that uses queryInterceptors.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45758", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28199", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00106", "scoring_system": "epss", "scoring_elements": "0.28394", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-45758" }, { "reference_url": "https://github.com/h2oai/h2o-3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/h2oai/h2o-3" }, { "reference_url": "https://github.com/h2oai/h2o-3/issues/16425", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/h2oai/h2o-3/issues/16425" }, { "reference_url": "https://github.com/h2oai/h2o-3/issues/16622", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/h2oai/h2o-3/issues/16622" }, { "reference_url": "https://github.com/h2oai/h2o-3/pull/16624", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/h2oai/h2o-3/pull/16624" }, { "reference_url": "https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb", "reference_id": "c24ca3c26dc89ab797e610e92a6a9acb", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-09-06T17:51:47Z/" } ], "url": "https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45758", "reference_id": "CVE-2024-45758", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45758" }, { "reference_url": "https://github.com/advisories/GHSA-hrmc-jmp7-mpm2", "reference_id": "GHSA-hrmc-jmp7-mpm2", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hrmc-jmp7-mpm2" }, { "reference_url": "https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068", "reference_id": "Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-09-06T17:51:47Z/" } ], "url": "https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/739743?format=api", "purl": "pkg:maven/ai.h2o/h2o-core@3.46.0.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cu6c-k4e7-puf7" }, { "vulnerability": "VCID-wg5g-p9nq-nbex" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/ai.h2o/h2o-core@3.46.0.8" } ], "aliases": [ "CVE-2024-45758", "GHSA-hrmc-jmp7-mpm2" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b1re-5nwx-wfb2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/85971?format=api", "vulnerability_id": "VCID-cu6c-k4e7-puf7", "summary": "A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and socketFactoryArg. This allows unauthenticated attackers to execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process. The issue is resolved in version 3.46.0.10.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3960", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00351", "scoring_system": "epss", "scoring_elements": "0.5804", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00351", "scoring_system": "epss", "scoring_elements": "0.57928", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3960" }, { "reference_url": "https://github.com/h2oai/h2o-3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/h2oai/h2o-3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3960", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3960" }, { "reference_url": "https://huntr.com/bounties/6954fe04-b905-453f-8c53-205ac8377e0d", "reference_id": "6954fe04-b905-453f-8c53-205ac8377e0d", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T12:25:29Z/" } ], "url": "https://huntr.com/bounties/6954fe04-b905-453f-8c53-205ac8377e0d" }, { "reference_url": "https://github.com/h2oai/h2o-3/commit/b9ae2d3c5220db2dc53753357a783e590364d044", "reference_id": "b9ae2d3c5220db2dc53753357a783e590364d044", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-23T12:25:29Z/" } ], "url": "https://github.com/h2oai/h2o-3/commit/b9ae2d3c5220db2dc53753357a783e590364d044" }, { "reference_url": "https://github.com/advisories/GHSA-qmcv-hh7c-3m56", "reference_id": "GHSA-qmcv-hh7c-3m56", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qmcv-hh7c-3m56" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374096?format=api", "purl": "pkg:maven/ai.h2o/h2o-core@3.46.0.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-wg5g-p9nq-nbex" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/ai.h2o/h2o-core@3.46.0.10" } ], "aliases": [ "CVE-2026-3960", "GHSA-qmcv-hh7c-3m56" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cu6c-k4e7-puf7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/111051?format=api", "vulnerability_id": "VCID-faw8-tfz2-eudq", "summary": "A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute arbitrary code. The vulnerability arises from improper handling of JDBC connection parameters, which can be exploited by bypassing regular expression checks and using double URL encoding. This issue impacts all users of the affected versions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6544", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00796", "scoring_system": "epss", "scoring_elements": "0.74499", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00796", "scoring_system": "epss", "scoring_elements": "0.74426", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6544" }, { "reference_url": "https://github.com/h2oai/h2o-3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/h2oai/h2o-3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6544", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6544" }, { "reference_url": "https://github.com/h2oai/h2o-3/commit/0298ee348f5c73673b7b542158081e79605f5f25", "reference_id": "0298ee348f5c73673b7b542158081e79605f5f25", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-09-22T17:23:22Z/" } ], "url": "https://github.com/h2oai/h2o-3/commit/0298ee348f5c73673b7b542158081e79605f5f25" }, { "reference_url": "https://huntr.com/bounties/53f35a0f-d644-4f82-93aa-89fe7e0aed40", "reference_id": "53f35a0f-d644-4f82-93aa-89fe7e0aed40", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-09-22T17:23:22Z/" } ], "url": "https://huntr.com/bounties/53f35a0f-d644-4f82-93aa-89fe7e0aed40" }, { "reference_url": "https://github.com/advisories/GHSA-5w3j-gwgh-4rfv", "reference_id": "GHSA-5w3j-gwgh-4rfv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-5w3j-gwgh-4rfv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/739743?format=api", "purl": "pkg:maven/ai.h2o/h2o-core@3.46.0.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-cu6c-k4e7-puf7" }, { "vulnerability": "VCID-wg5g-p9nq-nbex" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/ai.h2o/h2o-core@3.46.0.8" } ], "aliases": [ "CVE-2025-6544", "GHSA-5w3j-gwgh-4rfv" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-faw8-tfz2-eudq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51901?format=api", "vulnerability_id": "VCID-nfcx-t5c9-5bbt", "summary": "A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are passed to DriverManager.getConnection, leading to deserialization if a MySQL or PostgreSQL driver is available in the classpath. This issue is fixed in version 3.47.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-10553", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02857", "scoring_system": "epss", "scoring_elements": "0.8661", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.02857", "scoring_system": "epss", "scoring_elements": "0.8656", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-10553" }, { "reference_url": "https://github.com/h2oai/h2o-3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/h2oai/h2o-3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10553", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10553" }, { "reference_url": "https://github.com/h2oai/h2o-3/commit/ac1d642b4d86f10a02d75974055baf2a4b2025ac", "reference_id": "ac1d642b4d86f10a02d75974055baf2a4b2025ac", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:51:32Z/" } ], "url": "https://github.com/h2oai/h2o-3/commit/ac1d642b4d86f10a02d75974055baf2a4b2025ac" }, { "reference_url": "https://huntr.com/bounties/e6f550dd-eda2-428c-a740-ed8f893a084b", "reference_id": "e6f550dd-eda2-428c-a740-ed8f893a084b", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:51:32Z/" } ], "url": "https://huntr.com/bounties/e6f550dd-eda2-428c-a740-ed8f893a084b" }, { "reference_url": "https://github.com/advisories/GHSA-h7xg-cmpp-48hf", "reference_id": "GHSA-h7xg-cmpp-48hf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-h7xg-cmpp-48hf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378068?format=api", "purl": "pkg:maven/ai.h2o/h2o-core@3.46.0.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-b1re-5nwx-wfb2" }, { "vulnerability": "VCID-cu6c-k4e7-puf7" }, { "vulnerability": "VCID-faw8-tfz2-eudq" }, { "vulnerability": "VCID-wg5g-p9nq-nbex" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/ai.h2o/h2o-core@3.46.0.6" } ], "aliases": [ "CVE-2024-10553", "GHSA-h7xg-cmpp-48hf" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nfcx-t5c9-5bbt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39499?format=api", "vulnerability_id": "VCID-rgnx-9tfe-6kh3", "summary": "A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the `/3/Parse` endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the `/3/Frames/framename/export` endpoint. The impact of this vulnerability includes the potential for remote code execution and complete access to the system running h2o-3, as attackers can overwrite critical files such as private SSH keys or script files.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-5986", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37474", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00165", "scoring_system": "epss", "scoring_elements": "0.37297", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-5986" }, { "reference_url": "https://github.com/h2oai/h2o-3", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/h2oai/h2o-3" }, { "reference_url": "https://huntr.com/bounties/64ff5319-6ac3-4447-87f7-b53495d4d5a3", "reference_id": "64ff5319-6ac3-4447-87f7-b53495d4d5a3", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-02-02T12:52:10Z/" } ], "url": "https://huntr.com/bounties/64ff5319-6ac3-4447-87f7-b53495d4d5a3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5986", "reference_id": "CVE-2024-5986", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5986" }, { "reference_url": "https://github.com/advisories/GHSA-wj3h-wx8g-x699", "reference_id": "GHSA-wj3h-wx8g-x699", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wj3h-wx8g-x699" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/730439?format=api", "purl": "pkg:maven/ai.h2o/h2o-core@3.46.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-b1re-5nwx-wfb2" }, { "vulnerability": "VCID-cu6c-k4e7-puf7" }, { "vulnerability": "VCID-da4r-ymzc-f7gg" }, { "vulnerability": "VCID-faw8-tfz2-eudq" }, { "vulnerability": "VCID-nfcx-t5c9-5bbt" }, { "vulnerability": "VCID-vme1-up9z-yqaw" }, { "vulnerability": "VCID-wg5g-p9nq-nbex" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/ai.h2o/h2o-core@3.46.0.2" } ], "aliases": [ "CVE-2024-5986", "GHSA-wj3h-wx8g-x699" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rgnx-9tfe-6kh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50447?format=api", "vulnerability_id": "VCID-vme1-up9z-yqaw", "summary": "The H2O machine learning platform uses \"Iced\" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6960", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40204", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00185", "scoring_system": "epss", "scoring_elements": "0.40035", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6960" }, { "reference_url": "https://github.com/h2oai/h2o-3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/h2oai/h2o-3" }, { "reference_url": "https://mvnrepository.com/artifact/ai.h2o/h2o-core", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://mvnrepository.com/artifact/ai.h2o/h2o-core" }, { "reference_url": "https://research.jfrog.com/vulnerabilities/h2o-model-deserialization-rce-jfsa-2024-001035518", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://research.jfrog.com/vulnerabilities/h2o-model-deserialization-rce-jfsa-2024-001035518" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6960", "reference_id": "CVE-2024-6960", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6960" }, { "reference_url": "https://github.com/advisories/GHSA-w36w-948j-xhfw", "reference_id": "GHSA-w36w-948j-xhfw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w36w-948j-xhfw" }, { "reference_url": "https://research.jfrog.com/vulnerabilities/h2o-model-deserialization-rce-jfsa-2024-001035518/", "reference_id": "h2o-model-deserialization-rce-jfsa-2024-001035518", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-24T17:06:30Z/" } ], "url": "https://research.jfrog.com/vulnerabilities/h2o-model-deserialization-rce-jfsa-2024-001035518/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/730441?format=api", "purl": "pkg:maven/ai.h2o/h2o-core@3.46.0.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-b1re-5nwx-wfb2" }, { "vulnerability": "VCID-cu6c-k4e7-puf7" }, { "vulnerability": "VCID-faw8-tfz2-eudq" }, { "vulnerability": "VCID-nfcx-t5c9-5bbt" }, { "vulnerability": "VCID-wg5g-p9nq-nbex" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/ai.h2o/h2o-core@3.46.0.5" } ], "aliases": [ "CVE-2024-6960", "GHSA-w36w-948j-xhfw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vme1-up9z-yqaw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/358718?format=api", "vulnerability_id": "VCID-wg5g-p9nq-nbex", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-7768", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00509", "scoring_system": "epss", "scoring_elements": "0.66789", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00509", "scoring_system": "epss", "scoring_elements": "0.66882", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-7768" }, { "reference_url": "https://github.com/h2oai/h2o-3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/h2oai/h2o-3" }, { "reference_url": "https://github.com/h2oai/h2o-3/blob/7d418fa19d3ab434f742818e37f891bef9102c97/h2o-core/src/main/java/water/api/ImportFilesHandler.java#L19", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/h2oai/h2o-3/blob/7d418fa19d3ab434f742818e37f891bef9102c97/h2o-core/src/main/java/water/api/ImportFilesHandler.java#L19" }, { "reference_url": "https://huntr.com/bounties/3fe640df-bef4-4072-8890-0d12bc2818f6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://huntr.com/bounties/3fe640df-bef4-4072-8890-0d12bc2818f6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7768", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7768" }, { "reference_url": "https://github.com/advisories/GHSA-p2vc-m5fv-9w9m", "reference_id": "GHSA-p2vc-m5fv-9w9m", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-p2vc-m5fv-9w9m" } ], "fixed_packages": [], "aliases": [ "CVE-2024-7768", "GHSA-p2vc-m5fv-9w9m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wg5g-p9nq-nbex" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/ai.h2o/h2o-core@0.1.3" }