CVE-2024-27321

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:refuel:autolabel:*:*:*:*:*:*:*:*

History

20 Sep 2024, 17:06

Type Values Removed Values Added
First Time Refuel autolabel
Refuel
CWE CWE-1236
CPE cpe:2.3:a:refuel:autolabel:*:*:*:*:*:*:*:*
References () https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel/ - () https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel/ - Third Party Advisory

12 Sep 2024, 18:14

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-12 13:15

Updated : 2024-09-20 17:06


NVD link : CVE-2024-27321

Mitre link : CVE-2024-27321

CVE.ORG link : CVE-2024-27321


JSON object : View

Products Affected

refuel

  • autolabel
CWE
CWE-1236

Improper Neutralization of Formula Elements in a CSV File

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')