High severityNVD Advisory· Published Sep 12, 2024· Updated Sep 12, 2024

CVE-2024-27320

Description

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
refuel-autolabelPyPI	>= 0.0.8, <= 0.0.16	—

Affected products

Refuel/Autolabelv5
Range: 0.0.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-g2m8-f3x2-qprwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-27320ghsaADVISORY
github.com/refuel-ai/autolabel/blob/v0.0.16/src/autolabel/dataset/validation.pyghsaWEB
hiddenlayer.com/sai-security-advisory/2024-09-autolabelghsaWEB
hiddenlayer.com/sai-security-advisory/2024-09-autolabel/mitre

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000