PT-2024-21820 · Unknown · Refuel Autolabel Library
Kasimir Schulz
+1
·
Published
2024-09-12
·
Updated
2024-09-23
·
CVE-2024-27320
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Refuel Autolabel library versions 0.0.8 and newer
Description
An arbitrary code execution issue exists due to the way the Refuel Autolabel library handles provided CSV files in its classification tasks. If a maliciously crafted CSV file containing Python code is used to create a classification task, the code will be executed by an
eval function.Recommendations
For Refuel Autolabel library versions 0.0.8 and newer, consider disabling the classification task feature that handles CSV files until a patch is available to prevent arbitrary code execution. Restrict the use of the
eval function in classification tasks to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.RCE
Eval Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Refuel Autolabel Library