Platform
python
Component
h2o
Fixed in
3.46.0.6
3.46.1
CVE-2024-5979 is a denial-of-service (DoS) vulnerability discovered in h2o-3, a Python library for machine learning. This vulnerability allows an attacker to crash the server by exploiting the run_tool command within the rapids component. The vulnerability affects versions of h2o-3 up to and including 3.46.0. A patch has been released in version 3.46.0.6.
The core impact of CVE-2024-5979 is a denial-of-service. An attacker can remotely trigger a crash in the h2o-3 server by crafting a malicious request that targets the MojoConvertTool within the run_tool command. This crash effectively renders the server unavailable, disrupting machine learning workflows and potentially impacting dependent applications. The blast radius extends to any service relying on the vulnerable h2o-3 instance, potentially affecting data scientists, machine learning engineers, and downstream consumers of the model predictions. While the vulnerability doesn't directly lead to data exfiltration or code execution, the service disruption can have significant operational consequences.
CVE-2024-5979 was publicly disclosed on 2024-06-27. There is currently no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests that a simple PoC could be developed relatively easily.
Exploit Status
EPSS
0.12% (31% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-5979 is to upgrade to version 3.46.0.6 or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider implementing input validation on the runtool command to prevent the execution of potentially malicious arguments. While a WAF is unlikely to directly address this vulnerability, rate limiting requests to the runtool endpoint could help mitigate the impact of a denial-of-service attack. After upgrading, confirm the fix by attempting to invoke the MojoConvertTool with an invalid argument and verifying that the server does not crash.
Actualice la biblioteca h2oai/h2o-3 a la versión 3.46.0.6 o superior. Esto corrige la vulnerabilidad de denegación de servicio causada por el manejo incorrecto de argumentos en la herramienta MojoConvertTool. La actualización previene que un atacante pueda causar una caída del servidor mediante el envío de argumentos inválidos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-5979 is a denial-of-service vulnerability in h2o-3 versions up to 3.46.0. An attacker can crash the server by exploiting the MojoConvertTool, leading to service disruption.
You are affected if you are using h2o-3 version 3.46.0 or earlier. Check your installed version using pip show h2o.
Upgrade to version 3.46.0.6 or later. If immediate upgrade isn't possible, implement input validation on the run_tool command.
There is currently no indication of active exploitation in the wild, but a PoC could be developed easily.
Refer to the h2o.ai security advisories page for the latest information: https://www.h2o.ai/security/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.