Arbitrary Code Execution Vulnerability in Refuel Autolabel Library
CVE-2024-27320

7.8HIGH

Key Information:

Vendor: Refuel
Status: Autolabel
Vendor: CVE Published:; 12 September 2024

Summary

The Refuel Autolabel library versions 0.0.8 and later have a vulnerability that allows arbitrary code execution due to improper handling of CSV files during classification tasks. When a user attempts to create a classification task using a specially crafted CSV file, any embedded Python code within that file may be executed through an eval function. This flaw poses a significant risk, particularly if the CSV file is crafted by an attacker who can exploit this mechanism to run unauthorized commands on the victim's system.

Affected Version(s)

autolabel 0.0.8

References

https://hiddenlayer.com/sai-security-advisory/2024-09-aut...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Sep 12, 2024
Vulnerability Reserved
Feb 23, 2024