CVE-2024-27320

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:refuel:autolabel:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-09-12 13:15

Updated : 2024-09-23 13:56

NVD link : CVE-2024-27320

Mitre link : CVE-2024-27320

CVE.ORG link : CVE-2024-27320

JSON object : View

Products Affected

refuel

autolabel

CWE

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

{"id": "CVE-2024-27320", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-09-12T13:15:11.987", "references": [{"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel/", "tags": ["Third Party Advisory"], "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "description": [{"lang": "en", "value": "CWE-95"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1236"}]}], "descriptions": [{"lang": "en", "value": "An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it."}, {"lang": "es", "value": "Existe una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo arbitrario en las versiones 0.0.8 y posteriores de la librer\u00eda Refuel Autolabel debido a la forma en que sus tareas de clasificaci\u00f3n manejan los archivos CSV proporcionados. Si un usuario v\u00edctima crea una tarea de clasificaci\u00f3n utilizando un archivo CSV manipulado con fines malintencionados que contiene c\u00f3digo Python, el c\u00f3digo se pasar\u00e1 a una funci\u00f3n eval que lo ejecutar\u00e1."}], "lastModified": "2024-09-23T13:56:48.353", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:refuel:autolabel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34DA97A8-DFF9-46D6-9821-12DE59309BA7", "versionStartIncluding": "0.0.8"}], "operator": "OR"}]}], "sourceIdentifier": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}