Wiz
Vulnerability DatabaseCVE-2024-6960

CVE-2024-6960
Java vulnerability analysis and mitigation

Overview

The H2O machine learning platform contains a critical vulnerability (CVE-2024-6960) discovered in July 2024. The vulnerability affects the h2o-core package versions <=3.46.0.4, where the platform's 'Iced' classes, used for moving Java Objects around the cluster, support inclusion of serialized Java objects without proper class whitelisting during deserialization (JFrog Research, NVD).

Technical details

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 score of 7.5 (HIGH). The technical issue stems from the H2O platform's handling of 'Iced' format, which allows serialized Java objects to be included. When a model is deserialized, the platform fails to implement proper class filtering, allowing any class to be deserialized without restrictions (JFrog Research, Hacker News).

Impact

The vulnerability can lead to arbitrary code execution when an attacker-crafted Iced model is imported to the H2O platform. This poses significant risks as it could allow attackers to execute malicious code within the context of the H2O application (JFrog Research, Hacker News).

Mitigation and workarounds

Users should avoid using versions <=3.46.0.4 of the ai.h2o/h2o-core package. No specific mitigations have been provided for this vulnerability (FortiGuard).

Additional resources

SourceThis report was generated using AI

Related Java vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-55749HIGH8.7
  • JavaJava
  • org.xwiki.platform:xwiki-platform-tool-jetty-resources
NoYesDec 01, 2025
CVE-2025-64775HIGH7.5
  • JavaJava
  • javapackages-tools:201801::guice-servlet
NoYesDec 01, 2025
CVE-2025-13806MEDIUM6.9
  • JavaJava
  • org.nutz:nutzboot-parent
NoNoDec 01, 2025
CVE-2025-66453MEDIUM5.5
  • JavaJava
  • org.mozilla:rhino
NoYesDec 03, 2025
CVE-2025-13472MEDIUM5.3
  • JavaJava
  • com.blazemeter.plugins:blazemeterjenkinsplugin
NoYesDec 03, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo