@blamejs/exceptd-skills 0.13.104 → 0.13.105

package/data/atlas-ttps.json

@@ -144,6 +144,7 @@
     "last_verified": "2026-05-19",
     "cve_refs": [
       "CVE-2023-43654",
+      "CVE-2023-6016",
       "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -1280,6 +1281,7 @@
     "last_verified": "2026-05-19",
     "cve_refs": [
       "CVE-2023-44467",
+      "CVE-2023-6016",
       "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",
@@ -1735,6 +1737,7 @@
       "CVE-2023-51449",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2023-6038",
       "CVE-2024-13059",
       "CVE-2024-1561",
       "CVE-2024-21575",
@@ -2848,6 +2851,7 @@
     "is_subtechnique": true,
     "cve_refs": [
       "CVE-2022-1471",
+      "CVE-2023-6016",
       "CVE-2024-0129",
       "CVE-2024-11392",
       "CVE-2024-11393",

package/data/attack-techniques.json

@@ -276,6 +276,7 @@
       "CVE-2023-43654",
       "CVE-2023-44467",
       "CVE-2023-48022",
+      "CVE-2023-6016",
       "CVE-2023-6019",
       "CVE-2024-0129",
       "CVE-2024-11392",
@@ -875,8 +876,10 @@
       "CVE-2023-48022",
       "CVE-2023-51449",
       "CVE-2023-52163",
+      "CVE-2023-6016",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2023-6038",
       "CVE-2024-12987",
       "CVE-2024-13059",
       "CVE-2024-1561",
@@ -2492,6 +2495,7 @@
     "cve_refs": [
       "CVE-2023-36424",
       "CVE-2023-51449",
+      "CVE-2023-6038",
       "CVE-2024-1561",
       "CVE-2025-14847",
       "CVE-2025-22226",
@@ -3581,6 +3585,7 @@
     "cve_refs": [
       "CVE-2023-51449",
       "CVE-2023-6021",
+      "CVE-2023-6038",
       "CVE-2024-1561",
       "CVE-2024-24591",
       "CVE-2024-39722",

package/data/cve-catalog.json

@@ -16253,6 +16253,217 @@
     "_intake_method": "manual-verified-curation",
     "_kev_short_description": "ClearML client SDK writes dataset entries without path containment, so a malicious dataset writes files to arbitrary paths on the retrieving user (CWE-22 path traversal); no fixed SDK version is listed in the advisory - retrieve datasets only from trusted projects."
   },
+  "CVE-2023-6016": {
+    "name": "H2O-3 POJO Model Import Unauthenticated Remote Code Execution",
+    "type": "RCE",
+    "cvss_score": 9.8,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 9.8 (CRITICAL); huntr.dev (CNA) rates it 10.0 (CRITICAL, scope-changed). The H2O dashboard / REST API exposes a POJO (Java) model-import feature with no authentication that compiles and runs the imported model code, so an unauthenticated attacker gains remote code execution by importing a malicious model (CWE-94).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "huntr.dev / Protect AI published the analysis and proof-of-concept (import a malicious POJO model to gain code execution).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev / Protect AI (https://huntr.com/bounties/511da408-543e-4eed-8757-1d5d59c4d6c8). The abused surface is H2O-3, a widely used open-source ML/AutoML platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is an unauthenticated model-import code-execution surface on an ML platform's control plane.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research/bounty disclosure with a public proof-of-concept; no confirmed in-the-wild exploitation reported as of curation. No fixed version is published (H2O-3 is documented as a trusted-environment product), so exposed instances remain vulnerable.",
+    "affected": "H2O (H2O-3) - the H2O dashboard / REST API POJO model-import feature.",
+    "affected_versions": [
+      "H2O-3 (all versions with the POJO model-import feature exposed)"
+    ],
+    "vector": "H2O-3 is an open-source ML platform whose dashboard / REST API can import a model supplied as a POJO (Plain Old Java Object). The import feature compiles and executes the supplied model code, and the endpoint requires no authentication - so an unauthenticated attacker who can reach the H2O dashboard imports a malicious POJO model and runs arbitrary code on the host (a model artifact is executable code). Disclosed via huntr.dev / Protect AI.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N - network-reachable and unauthenticated; a single request to the exposed H2O-3 model-import feature suffices.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed version published as of curation; H2O.ai documents H2O-3 as a trusted-environment product. Mitigation is network isolation + authenticated access control (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed H2O-3 version is published as of curation; H2O.ai documents that H2O-3 is designed to run in a trusted environment. Do not expose the H2O-3 dashboard / REST API to untrusted networks, place it behind authenticated network access control, and treat model import as a code-execution surface (only import models from trusted sources)."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-SI-3": "Malicious-code protection does not treat the ML platform's model-import feature as a code-execution channel.",
+      "NIST-800-53-IA-2": "The H2O-3 dashboard / REST API does not authenticate callers before exposing a model-import (code-execution) feature.",
+      "NIST-800-53-CM-7": "Least-functionality is not enforced: the model-import feature compiles and runs imported code by default and is reachable without authentication.",
+      "ISO-27001-2022-A.8.28": "Secure-coding expectations do not address compiling and running an imported model artifact as host code.",
+      "NIS2-Art21-identity-management": "Article 21 access-control measures do not reach the ML platform's unauthenticated model-import endpoint.",
+      "DORA-Art-9": "ICT protection measures do not model an ML platform's model-import RCE as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for authenticating and sandboxing ML-platform model import.",
+      "AU-ISM-1546": "Patch-application control does not single out ML/AutoML platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML platform's model-import feature as a privileged code-execution surface that must authenticate and reject untrusted model code."
+    },
+    "atlas_refs": [
+      "AML.T0010",
+      "AML.T0011",
+      "AML.T0011.000"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1059"
+    ],
+    "rwep_score": 48,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 28,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Elevated (RWEP 48, \"patch within 7 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed version published so no patch credit (Hard Rule #3); unauthenticated RCE keeps blast high. poc_available=20 + blast_radius=28. The vendor's trusted-environment stance means the only remediation is isolation, so exposure persists until operators network-isolate H2O-3.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-6016",
+    "cwe_refs": [
+      "CWE-94"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated requests to the H2O-3 dashboard / REST API importing a POJO (Java) model from an attacker-controlled source.",
+        "The H2O-3 process compiling and running imported model code that performs shell, network, or file-system operations.",
+        "An internet-exposed H2O-3 dashboard (default port reachable without authentication) - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev / Protect AI bounty report (https://huntr.com/bounties/511da408-543e-4eed-8757-1d5d59c4d6c8), the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-p3v8-5qc4-7p8r), and NVD CVE-2023-6016 (CWE-94)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-6016",
+      "https://github.com/advisories/GHSA-p3v8-5qc4-7p8r",
+      "https://huntr.com/bounties/511da408-543e-4eed-8757-1d5d59c4d6c8"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2023-6016",
+        "url": "https://github.com/advisories/GHSA-p3v8-5qc4-7p8r",
+        "severity": "critical",
+        "published_date": "2023-11-16"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-6016",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6016",
+        "severity": "critical",
+        "published_date": "2023-11-16"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the huntr.dev / Protect AI bounty (https://huntr.com/bounties/511da408-543e-4eed-8757-1d5d59c4d6c8) + the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-p3v8-5qc4-7p8r, CWE-94) + NVD (CVSS v3.1 9.8) / huntr (CNA). H2O-3 ML-platform flaw; reuses the untrusted-model-artifact-loading control NEW-CTRL-091 - the POJO model import is an untrusted model artifact = executable code, the class shared with Keras / HF Transformers / NeMo / PyTorch.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "H2O-3's unauthenticated POJO model-import feature compiles and runs imported model code, giving unauthenticated RCE (CWE-94); no fixed version published - H2O-3 is designed for a trusted environment, so isolate it."
+  },
+  "CVE-2023-6038": {
+    "name": "H2O-3 REST API Unauthenticated Local File Inclusion (Arbitrary File Read)",
+    "type": "Information Disclosure",
+    "cvss_score": 7.5,
+    "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+    "cvss_note": "NIST (NVD) CVSS v3.1 base 7.5 (HIGH, confidentiality-only); huntr.dev (CNA) rates it 9.3 (CRITICAL, scope-changed). The H2O-3 REST API exposes an import path that performs no authorization check, letting an unauthenticated attacker read arbitrary files on the host with the H2O-3 process's permissions (CWE-862 missing authorization, Local File Inclusion).",
+    "cisa_kev": false,
+    "poc_available": true,
+    "poc_description": "huntr.dev / Protect AI published the analysis and proof-of-concept (read arbitrary files via the unauthenticated import path).",
+    "ai_discovered": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_discovery_notes": "Disclosed via huntr.dev / Protect AI (https://huntr.com/bounties/e76a32f6-b1b6-4caf-bc06-50bbe7548b3d). The abused surface is H2O-3, a widely used open-source ML/AutoML platform.",
+    "ai_assisted_weaponization": false,
+    "ai_assisted_notes": "No AI-assisted weaponization; the flaw is an unauthenticated file-read surface on an ML platform's control plane.",
+    "active_exploitation": "none",
+    "active_exploitation_notes": "Research/bounty disclosure with a public proof-of-concept; no confirmed in-the-wild exploitation reported as of curation. No fixed version is published (H2O-3 is documented as a trusted-environment product), so exposed instances remain vulnerable.",
+    "affected": "H2O-3 3.40.0.4 (and likely other versions).",
+    "affected_versions": [
+      "H2O-3 <= 3.40.0.4"
+    ],
+    "vector": "The H2O-3 REST API exposes a file-import endpoint with no authorization control. An unauthenticated remote attacker uses it to read arbitrary files (credentials, configuration, data) on the server with the permissions of the user running H2O-3 - a Local File Inclusion driven by missing authorization (CWE-862). Disclosed via huntr.dev / Protect AI.",
+    "complexity": "low",
+    "complexity_notes": "NVD AV:N / AC:L / PR:N / UI:N - network-reachable and unauthenticated; a single request to the exposed H2O-3 REST API import path suffices.",
+    "patch_available": false,
+    "patch_required_reboot": false,
+    "live_patch_available": false,
+    "live_patch_tools": [],
+    "live_patch_notes": "No fixed version published as of curation; H2O.ai documents H2O-3 as a trusted-environment product. Mitigation is network isolation + authenticated access control (see vendor_update_paths).",
+    "vendor_update_paths": [
+      "No fixed H2O-3 version is published as of curation; H2O.ai documents that H2O-3 is designed to run in a trusted environment. Do not expose the H2O-3 REST API to untrusted networks, require authenticated network access, and run H2O-3 as a least-privilege user so an LFI yields minimal data."
+    ],
+    "framework_control_gaps": {
+      "NIST-800-53-AC-3": "Access enforcement is missing: the H2O-3 REST API import path performs no authorization check (CWE-862).",
+      "NIST-800-53-IA-2": "The H2O-3 REST API does not authenticate callers before serving a file-import path that can read arbitrary files.",
+      "NIST-800-53-SC-7": "Boundary protection does not treat the ML platform's unauthenticated REST API as an exposed surface.",
+      "ISO-27001-2022-A.5.15": "Access control does not gate the H2O-3 REST API's file-import path.",
+      "NIS2-Art21-identity-management": "Article 21 access-control measures do not reach the ML platform's unauthenticated REST API.",
+      "DORA-Art-9": "ICT protection measures do not model unauthenticated file read from an ML platform as an ICT-risk event.",
+      "UK-CAF-B4": "System Security objective has no objective for authenticating the ML platform's REST API.",
+      "AU-ISM-1546": "Patch-application control does not single out ML/AutoML platforms.",
+      "ALL-AI-PIPELINE-INTEGRITY": "No framework treats an ML platform's REST API authorization as an integrity control whose absence exposes arbitrary file read."
+    },
+    "atlas_refs": [
+      "AML.T0049"
+    ],
+    "attack_refs": [
+      "T1190",
+      "T1083",
+      "T1005"
+    ],
+    "rwep_score": 38,
+    "rwep_factors": {
+      "cisa_kev": 0,
+      "poc_available": 20,
+      "ai_factor": 0,
+      "active_exploitation": 0,
+      "blast_radius": 18,
+      "patch_available": 0,
+      "live_patch_available": 0,
+      "reboot_required": 0
+    },
+    "rwep_notes": "Standard (RWEP 38, \"patch within 30 days\" band per lib/scoring.js timeline). Not KEV, no confirmed in-the-wild exploitation, and no fixed version published so no patch credit (Hard Rule #3); confidentiality-only file read keeps blast moderate. poc_available=20 + blast_radius=18. The vendor's trusted-environment stance means the only remediation is isolation, so exposure persists until operators network-isolate H2O-3.",
+    "epss_score": null,
+    "epss_date": "2026-05-25",
+    "epss_note": "EPSS not pulled for this entry; retrieve via FIRST EPSS API in a future refresh.",
+    "epss_source": "https://api.first.org/data/v1/epss?cve=CVE-2023-6038",
+    "cwe_refs": [
+      "CWE-862"
+    ],
+    "iocs": {
+      "behavioral": [
+        "Unauthenticated H2O-3 REST API import requests referencing local file paths (e.g. /etc/passwd, credential or config files) rather than dataset URLs.",
+        "H2O-3 returning the contents of local system files in import/preview responses.",
+        "An internet-exposed H2O-3 REST API reachable without authentication - the exposed precondition."
+      ],
+      "_ioc_source_note": "Behavioral signatures anchored to the huntr.dev / Protect AI bounty report (https://huntr.com/bounties/e76a32f6-b1b6-4caf-bc06-50bbe7548b3d), the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-6mv8-95x5-xcq9), and NVD CVE-2023-6038 (CWE-862)."
+    },
+    "source_verified": "2026-05-25",
+    "verification_sources": [
+      "https://nvd.nist.gov/vuln/detail/CVE-2023-6038",
+      "https://github.com/advisories/GHSA-6mv8-95x5-xcq9",
+      "https://huntr.com/bounties/e76a32f6-b1b6-4caf-bc06-50bbe7548b3d"
+    ],
+    "vendor_advisories": [
+      {
+        "vendor": "GitHub Security Advisory",
+        "advisory_id": "CVE-2023-6038",
+        "url": "https://github.com/advisories/GHSA-6mv8-95x5-xcq9",
+        "severity": "high",
+        "published_date": "2023-11-16"
+      },
+      {
+        "vendor": "NVD",
+        "advisory_id": "CVE-2023-6038",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6038",
+        "severity": "high",
+        "published_date": "2023-11-16"
+      }
+    ],
+    "last_updated": "2026-05-25",
+    "discovery_attribution_note": "Manually curated from the huntr.dev / Protect AI bounty (https://huntr.com/bounties/e76a32f6-b1b6-4caf-bc06-50bbe7548b3d) + the GitHub Security Advisory advisory (https://github.com/advisories/GHSA-6mv8-95x5-xcq9, CWE-862) + NVD (CVSS v3.1 7.5) / huntr (CNA). H2O-3 ML-platform flaw; reuses the AI-compute control-plane authentication control NEW-CTRL-088 - the ML platform's REST API must authenticate every endpoint, the class shared with Ray / ShadowRay.",
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation",
+    "_kev_short_description": "H2O-3's REST API import path performs no authorization, letting an unauthenticated attacker read arbitrary host files (CWE-862 LFI); no fixed version published - H2O-3 is designed for a trusted environment, so isolate it."
+  },
   "CVE-2026-41091": {
     "name": "Microsoft Defender (Malware Protection Engine) Link-Following LPE to SYSTEM",
     "type": "LPE",

package/data/cwe-catalog.json

@@ -382,6 +382,7 @@
       "CVE-2020-25078",
       "CVE-2022-48503",
       "CVE-2023-44467",
+      "CVE-2023-6016",
       "CVE-2024-12366",
       "CVE-2024-21513",
       "CVE-2024-21576",
@@ -1751,6 +1752,7 @@
     "evidence_cves": [
       "CVE-2023-48022",
       "CVE-2023-52163",
+      "CVE-2023-6038",
       "CVE-2024-57726",
       "CVE-2025-20362",
       "CVE-2025-40602",

package/data/framework-control-gaps.json

@@ -38,8 +38,10 @@
       "CVE-2023-43654",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6016",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2023-6038",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -1267,6 +1269,7 @@
     "opened_date": "2026-01-01",
     "evidence_cves": [
       "CVE-2023-43472",
+      "CVE-2023-6016",
       "CVE-2024-12366",
       "CVE-2024-24590",
       "CVE-2024-24591",
@@ -2101,6 +2104,7 @@
     "opened_date": "2026-04-01",
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-GREENPLASMA",
+      "CVE-2023-6016",
       "CVE-2024-12366",
       "CVE-2024-24590",
       "CVE-2024-24591",
@@ -2249,6 +2253,7 @@
     "evidence_cves": [
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6038",
       "CVE-2024-0132",
       "CVE-2024-1561",
       "CVE-2024-21575",
@@ -2798,6 +2803,7 @@
     "opened_date": "2026-02-01",
     "evidence_cves": [
       "BUG-2026-NIGHTMARE-ECLIPSE-UNDEFEND",
+      "CVE-2023-6016",
       "CVE-2024-12366",
       "CVE-2024-5565",
       "CVE-2025-11837",
@@ -5028,8 +5034,10 @@
       "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6016",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2023-6038",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -5133,6 +5141,7 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2023-6038",
       "CVE-2024-1709",
       "CVE-2025-3248",
       "CVE-2026-33017",
@@ -5427,6 +5436,8 @@
     "status": "open",
     "opened_date": "2026-05-15",
     "evidence_cves": [
+      "CVE-2023-6016",
+      "CVE-2023-6038",
       "CVE-2025-3248",
       "CVE-2026-33017",
       "CVE-2026-6973"
@@ -5590,6 +5601,8 @@
     "evidence_cves": [
       "CVE-2023-44467",
       "CVE-2023-51449",
+      "CVE-2023-6016",
+      "CVE-2023-6038",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -5686,8 +5699,10 @@
       "CVE-2023-44467",
       "CVE-2023-48022",
       "CVE-2023-51449",
+      "CVE-2023-6016",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2023-6038",
       "CVE-2024-0129",
       "CVE-2024-0132",
       "CVE-2024-11392",
@@ -5959,6 +5974,7 @@
     "evidence_cves": [
       "CVE-2020-10148",
       "CVE-2023-48022",
+      "CVE-2023-6038",
       "CVE-2025-3248",
       "CVE-2025-55241",
       "CVE-2026-24206",
@@ -6031,8 +6047,10 @@
       "CVE-2022-1471",
       "CVE-2023-43654",
       "CVE-2023-48022",
+      "CVE-2023-6016",
       "CVE-2023-6019",
       "CVE-2023-6021",
+      "CVE-2023-6038",
       "CVE-2024-1709",
       "CVE-2024-4889",
       "CVE-2024-6587",

package/data/zeroday-lessons.json

@@ -4411,6 +4411,106 @@
     "_auto_imported": false,
     "_intake_method": "manual-verified-curation"
   },
+  "CVE-2023-6016": {
+    "name": "H2O-3 POJO Model Import Unauthenticated Remote Code Execution",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "H2O-3's dashboard / REST API exposes an unauthenticated POJO (Java) model-import feature that compiles and runs the imported model code, so an unauthenticated attacker imports a malicious model and gains remote code execution on the host.",
+      "privileges_required": "none (unauthenticated)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is H2O-3, an open-source ML/AutoML platform. The lesson: an ML platform's control plane is a privileged surface - model import runs code, so it must authenticate and reject untrusted model artifacts; a 'trusted environment' deployment assumption is not a control."
+    },
+    "framework_coverage": {
+      "NIST-800-53-SI-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Flaw remediation does not track the ML platform's model-import feature; the vendor treats H2O-3 as trusted-environment-only, so no fix ships."
+      },
+      "NIST-800-53-SI-10": {
+        "covered": true,
+        "adequate": false,
+        "gap": "No input validation distinguishes a trusted model from attacker code at the unauthenticated model-import endpoint."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework treats an ML platform's model-import feature as a privileged code-execution surface - a model artifact is executable code."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 82,
+      "basis": "H2O-3 is deployed for data-science productivity on trusted-network assumptions; its dashboard / REST API is frequently exposed without authentication, and the vendor ships no fix (trusted-environment-by-design).",
+      "theater_pattern": "ai_platform_trusted_environment_assumption"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-091",
+        "name": "UNTRUSTED-MODEL-ARTIFACT-LOADING",
+        "description": "Treat ML model artifacts as untrusted code: never load .keras / pickle-based models from untrusted sources, verify provenance, prefer safe formats (e.g. safetensors), and load untrusted models only in a sandboxed, network-isolated, least-privilege environment. Upgrade Keras to the fixed release (>= 3.8.0 for CVE-2025-1550; past 3.10.0 for the CVE-2025-8747 safe_mode bypass) and do not rely on safe_mode alone — it was bypassable. The distinguishing test: load an attacker-crafted .keras archive with safe_mode enabled on a sandboxed instance and confirm no code executes.",
+        "evidence": "https://nvd.nist.gov/vuln/detail/CVE-2025-1550",
+        "gap_closes": [
+          "NIST-800-53-SI-2",
+          "NIST-800-53-SI-10",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
+  "CVE-2023-6038": {
+    "name": "H2O-3 REST API Unauthenticated Local File Inclusion (Arbitrary File Read)",
+    "lesson_date": "2026-05-25",
+    "attack_vector": {
+      "description": "H2O-3's REST API exposes a file-import path with no authorization check, so an unauthenticated remote attacker reads arbitrary files on the host with the H2O-3 process's permissions (Local File Inclusion).",
+      "privileges_required": "none (unauthenticated)",
+      "complexity": "low",
+      "ai_factor": "The abused surface is H2O-3, an open-source ML/AutoML platform. The lesson: an ML platform's control plane is a privileged surface - its REST API must authenticate every endpoint; a 'trusted environment' deployment assumption is not a control."
+    },
+    "framework_coverage": {
+      "NIST-800-53-IA-2": {
+        "covered": true,
+        "adequate": false,
+        "gap": "The H2O-3 REST API does not authenticate callers before serving a file-import path; 'trusted environment' is assumed, not enforced."
+      },
+      "NIST-800-53-SC-7": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Boundary protection does not treat the unauthenticated ML-platform REST API as an exposed surface."
+      },
+      "ALL-AI-PIPELINE-INTEGRITY": {
+        "covered": false,
+        "adequate": false,
+        "gap": "No framework requires authenticating every endpoint of an ML platform's control plane / REST API."
+      }
+    },
+    "compliance_exposure_score": {
+      "percent_audit_passing_orgs_still_exposed": 80,
+      "basis": "H2O-3 is deployed for data-science productivity on trusted-network assumptions; its dashboard / REST API is frequently exposed without authentication, and the vendor ships no fix (trusted-environment-by-design).",
+      "theater_pattern": "ai_platform_trusted_environment_assumption"
+    },
+    "ai_discovered_zeroday": false,
+    "ai_discovery_source": "human_researcher",
+    "ai_assist_factor": "none",
+    "new_control_requirements": [
+      {
+        "id": "NEW-CTRL-088",
+        "name": "AI-COMPUTE-CONTROL-PLANE-AUTHENTICATION",
+        "description": "An AI compute framework's job/control API must authenticate every caller; 'deploy only on a trusted network' is an assumption, not a control, and must not substitute for authentication. Enable Ray token authentication (2.52.0+), never expose the dashboard / Job Submission API to untrusted networks, front it with an authenticating proxy, and treat any internet-exposed cluster as compromised (rotate model artifacts and cloud credentials). The distinguishing test: from the public internet, attempt to reach the Ray dashboard (default 8265) and submit a job unauthenticated on a staging cluster; it must be refused.",
+        "evidence": "https://atlas.mitre.org/studies/AML.CS0023",
+        "gap_closes": [
+          "NIST-800-53-IA-2",
+          "NIST-800-53-SC-7",
+          "ALL-AI-PIPELINE-INTEGRITY"
+        ]
+      }
+    ],
+    "_auto_imported": false,
+    "_intake_method": "manual-verified-curation"
+  },
   "CVE-2024-24591": {
     "name": "ClearML Client SDK Dataset Path Traversal Arbitrary File Write",
     "lesson_date": "2026-05-25",