@blamejs/exceptd-skills 0.13.103 → 0.13.105

package/data/atlas-ttps.json

@@ -144,10 +144,13 @@
     "last_verified": "2026-05-19",
     "cve_refs": [
       "CVE-2023-43654",
+      "CVE-2023-6016",
       "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2024-37032",
       "CVE-2025-1550",
       "CVE-2025-32434",
@@ -1278,11 +1281,13 @@
     "last_verified": "2026-05-19",
     "cve_refs": [
       "CVE-2023-44467",
+      "CVE-2023-6016",
       "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
       "CVE-2024-21513",
+      "CVE-2024-24590",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
@@ -1732,10 +1737,12 @@
       "CVE-2023-51449",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2023-6038",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21575",
       "CVE-2024-21576",
+      "CVE-2024-24591",
       "CVE-2024-27132",
       "CVE-2024-37032",
       "CVE-2024-39722",
@@ -2844,10 +2851,12 @@
     "is_subtechnique": true,
     "cve_refs": [
       "CVE-2022-1471",
+      "CVE-2023-6016",
       "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-24590",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",

package/data/attack-techniques.json

@@ -276,6 +276,7 @@
       "CVE-2023-43654",
       "CVE-2023-44467",
       "CVE-2023-48022",
+      "CVE-2023-6016",
       "CVE-2023-6019",
       "CVE-2024-0129",
       "CVE-2024-11392",
@@ -286,6 +287,7 @@
       "CVE-2024-21513",
       "CVE-2024-21575",
       "CVE-2024-21576",
+      "CVE-2024-24590",
       "CVE-2024-37032",
       "CVE-2024-42479",
       "CVE-2024-4889",
@@ -874,8 +876,10 @@
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-52163",
+      "CVE-2023-6016",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2023-6038",
       "CVE-2024-12987",
       "CVE-2024-13059",
       "CVE-2024-1561",
@@ -1139,6 +1143,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-24590",
       "CVE-2024-3094",
       "CVE-2025-1550",
       "CVE-2025-32434",
@@ -2490,6 +2495,7 @@
     "cve_refs": [
       "CVE-2023-36424",
       "CVE-2023-51449",
+      "CVE-2023-6038",
       "CVE-2024-1561",
       "CVE-2025-14847",
       "CVE-2025-22226",
@@ -3579,7 +3585,9 @@
     "cve_refs": [
       "CVE-2023-51449",
       "CVE-2023-6021",
+      "CVE-2023-6038",
       "CVE-2024-1561",
+      "CVE-2024-24591",
       "CVE-2024-39722",
       "CVE-2026-34926"
     ]
@@ -4325,6 +4333,8 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-24590",
+      "CVE-2024-24591",
       "CVE-2025-1550",
       "CVE-2025-32434",
       "CVE-2025-33236",
@@ -14875,7 +14885,10 @@
     "stix_id": "attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292",
     "last_verified": "2026-05-19",
     "_auto_imported": true,
-    "_intake_method": "mitre-attack-stix"
+    "_intake_method": "mitre-attack-stix",
+    "cve_refs": [
+      "CVE-2024-24591"
+    ]
   },
   "T1565.002": {
     "id": "T1565.002",

package/data/cve-catalog.json

@@ -16038,6 +16038,432 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "Langflow's unauthenticated public flow-build endpoint runs flow-supplied Python through an unsandboxed dynamic-execution sink (CWE-94/CWE-95/CWE-306), giving unauthenticated RCE; CISA KEV (added 2026-03-25, actively exploited), fixed in 1.9.0."
   },
+  "CVE-2024-24590": {
+    "name": "ClearML Client SDK Artifact Deserialization Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 8.8 (HIGH); HiddenLayer (CNA) rates it 8.0 (HIGH, PR:L). The ClearML client SDK deserializes a stored artifact through an unsafe Python object-deserialization path when a user retrieves it, so a maliciously uploaded artifact runs arbitrary code on the retrieving user's system (CWE-502).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "HiddenLayer published the analysis and attack chain (a malicious artifact runs code when a victim retrieves it).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by HiddenLayer (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/). The abused surface is a widely used MLOps / experiment-tracking platform (ClearML) - the AI supply-chain layer between data scientists.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is in how an MLOps platform handles uploaded experiment artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a documented attack chain; no confirmed in-the-wild exploitation reported as of curation. No fixed SDK version is published in the advisory, so users on the affected range remain exposed when retrieving untrusted artifacts.",
+    "affected": "ClearML client SDK 0.17.0 through 1.14.2.",
+    "affected_versions": [
+      "ClearML (pip) >= 0.17.0, <= 1.14.2"
+    ],
+    "vector": "ClearML is an MLOps / experiment-tracking platform. Its client SDK stores experiment artifacts and reconstructs them on retrieval using an unsafe Python object-deserialization routine. An attacker who can upload an artifact to a project a victim will open embeds a malicious serialized object; when the victim's SDK retrieves and interacts with that artifact, the object's deserialization runs attacker code on the victim's machine (CWE-502). Disclosed by HiddenLayer.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:R - network-delivered via an uploaded artifact, but requires the victim to retrieve/interact with it (UI:R). HiddenLayer's CNA vector marks PR:L (an account that can upload to the shared project).",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed SDK version is listed in the advisory as of curation; mitigation is retrieving artifacts/datasets only from trusted projects and treating retrieved content as untrusted (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed ClearML SDK version is listed in the GitHub advisory or NVD as of curation (HiddenLayer states the issues were resolved with the vendor within the disclosure window, but no specific fixed version is published). Only retrieve artifacts/datasets from trusted ClearML projects, run the SDK with least privilege, and treat every retrieved artifact as untrusted until the deployed SDK version is confirmed to refuse unsafe deserialization."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input validation is not applied to an uploaded experiment artifact/dataset before the MLOps SDK deserializes it.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the SDK auto-deserializes artifacts through an unsafe routine on retrieval.",
+      "NIST-800-53-SR-3": "Supply-chain controls do not treat MLOps experiment artifacts/datasets as untrusted third-party content delivered between collaborators.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address unsafe deserialization of stored artifacts in an MLOps SDK.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not reach the MLOps platform as a channel that delivers executable artifacts between data scientists.",
+      "DORA-Art-9": "ICT protection measures do not model MLOps-artifact retrieval as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating MLOps artifacts/datasets before deserialization or extraction.",
+      "AU-ISM-1546": "Patch-application control does not single out MLOps client SDKs.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLOps / experiment-tracking platform's uploaded artifacts and datasets as an untrusted code/file-delivery surface."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1059",
+      "T1195.002"
+    ],
+    "rwep_score": 42,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 22,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 42, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed SDK version published so no patch credit (Hard Rule #3); the UI:R requirement (victim must retrieve the malicious artifact) keeps blast moderate. poc_available=20 + blast_radius=22.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-24590",
+    "cwe_refs": [
+      "CWE-502"
+    ],
+    "iocs": {
+      "behavioral": [
+        "ClearML artifacts whose stored payload is a serialized object rather than the expected data type (a deserialization-gadget payload).",
+        "The ClearML client SDK spawning shell, network, or file-system child processes immediately after an artifact is retrieved or previewed.",
+        "Uploads to shared ClearML projects from accounts/users that should not be contributing artifacts.",
+        "ClearML (pip) 0.17.0-1.14.2 retrieving artifacts/datasets from projects that accept untrusted uploads - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the HiddenLayer disclosure (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/), the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-cpcw-9h9m-wqw9), and NVD CVE-2024-24590 (CWE-502)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-24590",
+      "https://github.com/advisories/GHSA-cpcw-9h9m-wqw9",
+      "https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-24590",
+        "url": "https://github.com/advisories/GHSA-cpcw-9h9m-wqw9",
+        "severity": "high",
+        "published_date": "2024-06-27"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-24590",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24590",
+        "severity": "high",
+        "published_date": "2024-06-27"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the HiddenLayer disclosure (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/) + the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-cpcw-9h9m-wqw9, CWE-502) + NVD (CVSS v3.1 8.8) / HiddenLayer (CNA 8.0). MLOps / experiment-tracking platform flaw (ClearML); introduces the MLOps-artifact trust-boundary control NEW-CTRL-104.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ClearML client SDK reconstructs stored artifacts through unsafe Python object-deserialization on retrieval, so a malicious artifact runs code on the retrieving user (CWE-502); no fixed SDK version is listed in the advisory - treat retrieved artifacts as untrusted."
+  },
+  "CVE-2024-24591": {
+    "name": "ClearML Client SDK Dataset Path Traversal Arbitrary File Write",
+    "type": "Arbitrary File Write",
+    "cvss_score": 8.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 8.8 (HIGH); HiddenLayer (CNA) rates it 8.0 (HIGH, PR:L). The ClearML client SDK does not constrain dataset entry paths, so a maliciously uploaded dataset writes files to an arbitrary local or remote location on the retrieving user's system (CWE-22 path traversal).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "HiddenLayer published the analysis and attack chain (a malicious dataset writes to arbitrary paths on retrieval).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed by HiddenLayer (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/). The abused surface is a widely used MLOps / experiment-tracking platform (ClearML) - the AI supply-chain layer between data scientists.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is in how an MLOps platform handles uploaded experiment artifacts.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research disclosure with a documented attack chain; no confirmed in-the-wild exploitation reported as of curation. No fixed SDK version is published in the advisory, so users on the affected range remain exposed when retrieving untrusted artifacts.",
+    "affected": "ClearML client SDK 1.4.0 through 1.14.1.",
+    "affected_versions": [
+      "ClearML (pip) >= 1.4.0, <= 1.14.1"
+    ],
+    "vector": "When the ClearML client SDK retrieves a dataset, it writes the dataset's entries to disk without constraining their paths. A maliciously uploaded dataset whose entries use absolute or ../ traversal paths therefore writes files to arbitrary locations on the retrieving user's system (CWE-22) - which, by overwriting startup or configuration files, can escalate to code execution. Disclosed by HiddenLayer.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:R - network-delivered via an uploaded artifact, but requires the victim to retrieve/interact with it (UI:R). HiddenLayer's CNA vector marks PR:L (an account that can upload to the shared project).",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed SDK version is listed in the advisory as of curation; mitigation is retrieving artifacts/datasets only from trusted projects and treating retrieved content as untrusted (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed ClearML SDK version is listed in the GitHub advisory or NVD as of curation. Only retrieve datasets from trusted ClearML projects, run the SDK as a least-privilege user, and treat dataset extraction paths as untrusted (reject absolute / ../ traversal entries) until the deployed SDK version is confirmed to contain extraction."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-10": "Input validation is not applied to an uploaded experiment artifact/dataset before the MLOps SDK extracts it.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the SDK writes dataset entries without path containment on retrieval.",
+      "NIST-800-53-SR-3": "Supply-chain controls do not treat MLOps experiment artifacts/datasets as untrusted third-party content delivered between collaborators.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address uncontained extraction of dataset entries in an MLOps SDK.",
+      "NIS2-Art21-supply-chain": "Supply-chain-security measures do not reach the MLOps platform as a channel that delivers executable artifacts between data scientists.",
+      "DORA-Art-9": "ICT protection measures do not model MLOps-artifact retrieval as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for validating MLOps artifacts/datasets before deserialization or extraction.",
+      "AU-ISM-1546": "Patch-application control does not single out MLOps client SDKs.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an MLOps / experiment-tracking platform's uploaded artifacts and datasets as an untrusted code/file-delivery surface."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1204",
+      "T1083",
+      "T1565.001"
+    ],
+    "rwep_score": 38,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 38, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed SDK version published so no patch credit (Hard Rule #3); the UI:R requirement (victim must retrieve the malicious artifact) keeps blast moderate. poc_available=20 + blast_radius=18.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2024-24591",
+    "cwe_refs": [
+      "CWE-22"
+    ],
+    "iocs": {
+      "behavioral": [
+        "ClearML datasets whose entries contain absolute paths or ../ traversal sequences.",
+        "Files written by the ClearML client SDK outside the intended dataset cache/extraction directory during a dataset get.",
+        "Unexpected modification of startup, configuration, or credential files following a ClearML dataset retrieval.",
+        "ClearML (pip) 1.4.0-1.14.1 retrieving artifacts/datasets from projects that accept untrusted uploads - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the HiddenLayer disclosure (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/), the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-m95h-p4gg-wfw3), and NVD CVE-2024-24591 (CWE-22)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2024-24591",
+      "https://github.com/advisories/GHSA-m95h-p4gg-wfw3",
+      "https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2024-24591",
+        "url": "https://github.com/advisories/GHSA-m95h-p4gg-wfw3",
+        "severity": "high",
+        "published_date": "2024-06-27"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2024-24591",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24591",
+        "severity": "high",
+        "published_date": "2024-06-27"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the HiddenLayer disclosure (https://hiddenlayer.com/innovation-hub/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/) + the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-m95h-p4gg-wfw3, CWE-22) + NVD (CVSS v3.1 8.8) / HiddenLayer (CNA 8.0). MLOps / experiment-tracking platform flaw (ClearML); introduces the MLOps-artifact trust-boundary control NEW-CTRL-104.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "ClearML client SDK writes dataset entries without path containment, so a malicious dataset writes files to arbitrary paths on the retrieving user (CWE-22 path traversal); no fixed SDK version is listed in the advisory - retrieve datasets only from trusted projects."
+  },
+  "CVE-2023-6016": {
+    "name": "H2O-3 POJO Model Import Unauthenticated Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 9.8 (CRITICAL); huntr.dev (CNA) rates it 10.0 (CRITICAL, scope-changed). The H2O dashboard / REST API exposes a POJO (Java) model-import feature with no authentication that compiles and runs the imported model code, so an unauthenticated attacker gains remote code execution by importing a malicious model (CWE-94).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "huntr.dev / Protect AI published the analysis and proof-of-concept (import a malicious POJO model to gain code execution).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev / Protect AI (https://huntr.com/bounties/511da408-543e-4eed-8757-1d5d59c4d6c8). The abused surface is H2O-3, a widely used open-source ML/AutoML platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is an unauthenticated model-import code-execution surface on an ML platform's control plane.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research/bounty disclosure with a public proof-of-concept; no confirmed in-the-wild exploitation reported as of curation. No fixed version is published (H2O-3 is documented as a trusted-environment product), so exposed instances remain vulnerable.",
+    "affected": "H2O (H2O-3) - the H2O dashboard / REST API POJO model-import feature.",
+    "affected_versions": [
+      "H2O-3 (all versions with the POJO model-import feature exposed)"
+    ],
+    "vector": "H2O-3 is an open-source ML platform whose dashboard / REST API can import a model supplied as a POJO (Plain Old Java Object). The import feature compiles and executes the supplied model code, and the endpoint requires no authentication - so an unauthenticated attacker who can reach the H2O dashboard imports a malicious POJO model and runs arbitrary code on the host (a model artifact is executable code). Disclosed via huntr.dev / Protect AI.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N - network-reachable and unauthenticated; a single request to the exposed H2O-3 model-import feature suffices.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed version published as of curation; H2O.ai documents H2O-3 as a trusted-environment product. Mitigation is network isolation + authenticated access control (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed H2O-3 version is published as of curation; H2O.ai documents that H2O-3 is designed to run in a trusted environment. Do not expose the H2O-3 dashboard / REST API to untrusted networks, place it behind authenticated network access control, and treat model import as a code-execution surface (only import models from trusted sources)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat the ML platform's model-import feature as a code-execution channel.",
+      "NIST-800-53-IA-2": "The H2O-3 dashboard / REST API does not authenticate callers before exposing a model-import (code-execution) feature.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the model-import feature compiles and runs imported code by default and is reachable without authentication.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address compiling and running an imported model artifact as host code.",
+      "NIS2-Art21-identity-management": "Article 21 access-control measures do not reach the ML platform's unauthenticated model-import endpoint.",
+      "DORA-Art-9": "ICT protection measures do not model an ML platform's model-import RCE as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for authenticating and sandboxing ML-platform model import.",
+      "AU-ISM-1546": "Patch-application control does not single out ML/AutoML platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML platform's model-import feature as a privileged code-execution surface that must authenticate and reject untrusted model code."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 48,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 28,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 48, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed version published so no patch credit (Hard Rule #3); unauthenticated RCE keeps blast high. poc_available=20 + blast_radius=28. The vendor's trusted-environment stance means the only remediation is isolation, so exposure persists until operators network-isolate H2O-3.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-6016",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated requests to the H2O-3 dashboard / REST API importing a POJO (Java) model from an attacker-controlled source.",
+        "The H2O-3 process compiling and running imported model code that performs shell, network, or file-system operations.",
+        "An internet-exposed H2O-3 dashboard (default port reachable without authentication) - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev / Protect AI bounty report (https://huntr.com/bounties/511da408-543e-4eed-8757-1d5d59c4d6c8), the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-p3v8-5qc4-7p8r), and NVD CVE-2023-6016 (CWE-94)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-6016",
+      "https://github.com/advisories/GHSA-p3v8-5qc4-7p8r",
+      "https://huntr.com/bounties/511da408-543e-4eed-8757-1d5d59c4d6c8"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2023-6016",
+        "url": "https://github.com/advisories/GHSA-p3v8-5qc4-7p8r",
+        "severity": "critical",
+        "published_date": "2023-11-16"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-6016",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6016",
+        "severity": "critical",
+        "published_date": "2023-11-16"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the huntr.dev / Protect AI bounty (https://huntr.com/bounties/511da408-543e-4eed-8757-1d5d59c4d6c8) + the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-p3v8-5qc4-7p8r, CWE-94) + NVD (CVSS v3.1 9.8) / huntr (CNA). H2O-3 ML-platform flaw; reuses the untrusted-model-artifact-loading control NEW-CTRL-091 - the POJO model import is an untrusted model artifact = executable code, the class shared with Keras / HF Transformers / NeMo / PyTorch.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "H2O-3's unauthenticated POJO model-import feature compiles and runs imported model code, giving unauthenticated RCE (CWE-94); no fixed version published - H2O-3 is designed for a trusted environment, so isolate it."
+  },
+  "CVE-2023-6038": {
+    "name": "H2O-3 REST API Unauthenticated Local File Inclusion (Arbitrary File Read)",
+    "type": "Information Disclosure",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 7.5 (HIGH, confidentiality-only); huntr.dev (CNA) rates it 9.3 (CRITICAL, scope-changed). The H2O-3 REST API exposes an import path that performs no authorization check, letting an unauthenticated attacker read arbitrary files on the host with the H2O-3 process's permissions (CWE-862 missing authorization, Local File Inclusion).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "huntr.dev / Protect AI published the analysis and proof-of-concept (read arbitrary files via the unauthenticated import path).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev / Protect AI (https://huntr.com/bounties/e76a32f6-b1b6-4caf-bc06-50bbe7548b3d). The abused surface is H2O-3, a widely used open-source ML/AutoML platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is an unauthenticated file-read surface on an ML platform's control plane.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research/bounty disclosure with a public proof-of-concept; no confirmed in-the-wild exploitation reported as of curation. No fixed version is published (H2O-3 is documented as a trusted-environment product), so exposed instances remain vulnerable.",
+    "affected": "H2O-3 3.40.0.4 (and likely other versions).",
+    "affected_versions": [
+      "H2O-3 <= 3.40.0.4"
+    ],
+    "vector": "The H2O-3 REST API exposes a file-import endpoint with no authorization control. An unauthenticated remote attacker uses it to read arbitrary files (credentials, configuration, data) on the server with the permissions of the user running H2O-3 - a Local File Inclusion driven by missing authorization (CWE-862). Disclosed via huntr.dev / Protect AI.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N - network-reachable and unauthenticated; a single request to the exposed H2O-3 REST API import path suffices.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed version published as of curation; H2O.ai documents H2O-3 as a trusted-environment product. Mitigation is network isolation + authenticated access control (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed H2O-3 version is published as of curation; H2O.ai documents that H2O-3 is designed to run in a trusted environment. Do not expose the H2O-3 REST API to untrusted networks, require authenticated network access, and run H2O-3 as a least-privilege user so an LFI yields minimal data."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement is missing: the H2O-3 REST API import path performs no authorization check (CWE-862).",
+      "NIST-800-53-IA-2": "The H2O-3 REST API does not authenticate callers before serving a file-import path that can read arbitrary files.",
+      "NIST-800-53-SC-7": "Boundary protection does not treat the ML platform's unauthenticated REST API as an exposed surface.",
+      "ISO-27001-2022-A.5.15": "Access control does not gate the H2O-3 REST API's file-import path.",
+      "NIS2-Art21-identity-management": "Article 21 access-control measures do not reach the ML platform's unauthenticated REST API.",
+      "DORA-Art-9": "ICT protection measures do not model unauthenticated file read from an ML platform as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for authenticating the ML platform's REST API.",
+      "AU-ISM-1546": "Patch-application control does not single out ML/AutoML platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML platform's REST API authorization as an integrity control whose absence exposes arbitrary file read."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1083",
+      "T1005"
+    ],
+    "rwep_score": 38,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 38, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed version published so no patch credit (Hard Rule #3); confidentiality-only file read keeps blast moderate. poc_available=20 + blast_radius=18. The vendor's trusted-environment stance means the only remediation is isolation, so exposure persists until operators network-isolate H2O-3.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-6038",
+    "cwe_refs": [
+      "CWE-862"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated H2O-3 REST API import requests referencing local file paths (e.g. /etc/passwd, credential or config files) rather than dataset URLs.",
+        "H2O-3 returning the contents of local system files in import/preview responses.",
+        "An internet-exposed H2O-3 REST API reachable without authentication - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev / Protect AI bounty report (https://huntr.com/bounties/e76a32f6-b1b6-4caf-bc06-50bbe7548b3d), the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-6mv8-95x5-xcq9), and NVD CVE-2023-6038 (CWE-862)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-6038",
+      "https://github.com/advisories/GHSA-6mv8-95x5-xcq9",
+      "https://huntr.com/bounties/e76a32f6-b1b6-4caf-bc06-50bbe7548b3d"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2023-6038",
+        "url": "https://github.com/advisories/GHSA-6mv8-95x5-xcq9",
+        "severity": "high",
+        "published_date": "2023-11-16"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-6038",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6038",
+        "severity": "high",
+        "published_date": "2023-11-16"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the huntr.dev / Protect AI bounty (https://huntr.com/bounties/e76a32f6-b1b6-4caf-bc06-50bbe7548b3d) + the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-6mv8-95x5-xcq9, CWE-862) + NVD (CVSS v3.1 7.5) / huntr (CNA). H2O-3 ML-platform flaw; reuses the AI-compute control-plane authentication control NEW-CTRL-088 - the ML platform's REST API must authenticate every endpoint, the class shared with Ray / ShadowRay.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "H2O-3's REST API import path performs no authorization, letting an unauthenticated attacker read arbitrary host files (CWE-862 LFI); no fixed version published - H2O-3 is designed for a trusted environment, so isolate it."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -101,6 +101,7 @@
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-1708",
+      "CVE-2024-24591",
       "CVE-2024-37032",
       "CVE-2024-39722",
       "CVE-2024-57728",
@@ -381,6 +382,7 @@
       "CVE-2020-25078",
       "CVE-2022-48503",
       "CVE-2023-44467",
+      "CVE-2023-6016",
       "CVE-2024-12366",
       "CVE-2024-21513",
       "CVE-2024-21576",
@@ -1335,6 +1337,7 @@
       "CVE-2024-11392",
       "CVE-2024-11393",
       "CVE-2024-11394",
+      "CVE-2024-24590",
       "CVE-2024-50050",
       "CVE-2024-8069",
       "CVE-2025-10035",
@@ -1749,6 +1752,7 @@
     "evidence_cves": [
       "CVE-2023-48022",
       "CVE-2023-52163",
+      "CVE-2023-6038",
       "CVE-2024-57726",
       "CVE-2025-20362",
       "CVE-2025-40602",