CVE-2024-6854

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://huntr.com/bounties/97d013f9-ac51-4c80-8dd7-8dfde11f33b2", "name": "https://huntr.com/bounties/97d013f9-ac51-4c80-8dd7-8dfde11f33b2", "tags": ["Exploit", "Third Party Advisory"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a model to any file in the server's file structure, thereby overwriting it. This vulnerability can be exploited to overwrite any file on the target server with a trained model file, although the content of the overwrite is not controllable by the attacker."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-36"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2024-6854", "ASSIGNER": "security@huntr.dev"}}, "impact": {}, "publishedDate": "2025-03-20T10:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:h2o:h2o:3.46.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-07-15T15:55Z"}