Arbitrary code execution vulnerability in Refuel Autolabel library

CVE-2024-27321

7.8HIGH

Key Information

Vendor: Refuel
Status: Autolabel
Vendor: CVE Published:; 12 September 2024

Summary

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.

Affected Version(s)

autolabel <= 0.0.8

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published.
Sep 12, 2024
Vulnerability Reserved.
Feb 23, 2024

Collectors

NVD DatabaseMitre Database