CVE-2024-27321

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:refuel:autolabel:*:*:*:*:*:*:*:*

History

20 Sep 2024, 17:06

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de ejecución de código arbitrario en las versiones 0.0.8 y posteriores de la librería Refuel Autolabel debido a la forma en que sus tareas de clasificación de etiquetas múltiples manejan los archivos CSV proporcionados. Si un usuario crea una tarea de clasificación de etiquetas múltiples utilizando un archivo CSV manipulado con fines malintencionados que contiene código Python, el código se pasará a una función eval que lo ejecutará.
References	~~() https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel/ -~~	() https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel/ - Third Party Advisory
First Time		Refuel Refuel autolabel
CWE		CWE-1236
CPE		cpe:2.3:a:refuel:autolabel::::::::

12 Sep 2024, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-12 13:15

Updated : 2024-09-20 17:06

NVD link : CVE-2024-27321

Mitre link : CVE-2024-27321

CVE.ORG link : CVE-2024-27321

JSON object : View

Products Affected

refuel

autolabel

CWE

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

{"id": "CVE-2024-27321", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-09-12T13:15:12.267", "references": [{"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel/", "tags": ["Third Party Advisory"], "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1236"}]}, {"type": "Secondary", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "description": [{"lang": "en", "value": "CWE-95"}]}], "descriptions": [{"lang": "en", "value": "An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it."}, {"lang": "es", "value": "Existe una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo arbitrario en las versiones 0.0.8 y posteriores de la librer\u00eda Refuel Autolabel debido a la forma en que sus tareas de clasificaci\u00f3n de etiquetas m\u00faltiples manejan los archivos CSV proporcionados. Si un usuario crea una tarea de clasificaci\u00f3n de etiquetas m\u00faltiples utilizando un archivo CSV manipulado con fines malintencionados que contiene c\u00f3digo Python, el c\u00f3digo se pasar\u00e1 a una funci\u00f3n eval que lo ejecutar\u00e1."}], "lastModified": "2024-09-20T17:06:58.440", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:refuel:autolabel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34DA97A8-DFF9-46D6-9821-12DE59309BA7", "versionStartIncluding": "0.0.8"}], "operator": "OR"}]}], "sourceIdentifier": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}