We use cookies to improve your experience on our site.
AVID-2026-R1581
Description
Denial of Service via Invalid Argument in h2oai/h2o-3 (CVE-2024-5979)
Details
In h2oai/h2o-3 version 3.46.0, the run_tool command in the rapids component allows the main function of any class under the water.tools namespace to be called. One such class, MojoConvertTool, crashes the server when invoked with an invalid argument, causing a denial of service.
Reason for inclusion in AVID: CVE-2024-5979 describes a denial-of-service vulnerability in h2o-3 (rapids component) that allows invoking the main function of any class under water.tools, causing the server to crash when given invalid arguments. This is a software vulnerability in a dependency used in AI workflows and model serving, with network-based trigger and availability impact. It is not hardware/firmware-only and concerns components commonly used in AI pipelines, thus relevant to the AI supply chain.
References
- NVD entry
- https://huntr.com/bounties/d80a2139-fc03-44b7-b739-de41e323b458
- https://github.com/h2oai/h2o-3/commit/d0899f8e0f7a584b60405a65b1d7b439aaaa55a5
Affected or Relevant Artifacts
- Developer: h2oai
- Deployer: h2oai
- Artifact Details:
| Type | Name |
|---|---|
| System | h2oai/h2o-3 |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Base Score | 7.5 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-94 | CWE-94 Improper Control of Generation of Code |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-06-27
- Version: 0.3.3
- AVID Entry