Skip to content

Security: h2oai/h2o-3

SECURITY.md

Security Policy

Reporting a Vulnerability

Please report (suspected) security vulnerabilities to support@h2o.ai. You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.

Known Vulnerabilities

We located these vulnerabilites from our security scans. The following list shows the vulnerabilities and the libraries they were found in:

  • CVE-2024-9143: libcrypto3, libssl3
  • CVE-2021-22569: com.google.protobuf:protobuf-java (main-3.46.0.jar), com.google.protobuf:protobuf-java (main.jar)
  • CVE-2021-22570: com.google.protobuf:protobuf-java (main-3.46.0.jar), com.google.protobuf:protobuf-java (main.jar)
  • CVE-2022-3509: com.google.protobuf:protobuf-java (main-3.46.0.jar), com.google.protobuf:protobuf-java (main.jar)
  • CVE-2022-3510: com.google.protobuf:protobuf-java (main-3.46.0.jar), com.google.protobuf:protobuf-java (main.jar)
  • CVE-2024-7254: com.google.protobuf:protobuf-java (main-3.46.0.jar), com.google.protobuf:protobuf-java (main.jar)
  • CVE-2022-3171: com.google.protobuf:protobuf-java (main-3.46.0.jar), com.google.protobuf:protobuf-java (main.jar)
  • CVE-2024-23454: org.apache.hadoop:hadoop-common (main-3.46.0.jar), org.apache.hadoop:hadoop-common (main.jar)
  • CVE-2024-6763: org.eclipse.jetty:jetty-http (main-3.46.0.jar), org.eclipse.jetty:jetty-http (main.jar)
  • CVE-2024-8184: org.eclipse.jetty:jetty-http (main-3.46.0.jar), org.eclipse.jetty:jetty-http (main.jar)
  • CVE-2024-9823: org.eclipse.jetty:jetty-http (main-3.46.0.jar), org.eclipse.jetty:jetty-http (main.jar)
  • CVE-2024-23454: org.apache.hadoop:hadoop-common (steam-3.46.0.jar), org.apache.hadoop:hadoop-common (steam.jar)
  • CVE-2024-6763: org.eclipse.jetty:jetty-http (steam-3.46.0.jar), org.eclipse.jetty:jetty-http (steam.jar)
  • CVE-2024-8184: org.eclipse.jetty:jetty-http (steam-3.46.0.jar), org.eclipse.jetty:jetty-http (steam.jar)

There aren’t any published security advisories