Lucene search

6f8de1f0-f67e-45a6-b68f-98777fdb759cNVD:CVE-2024-27320

HistorySep 12, 2024 - 1:15 p.m.

CVE-2024-27320

2024-09-1213:15:11

CWE-95

CWE-1236

6f8de1f0-f67e-45a6-b68f-98777fdb759c

web.nvd.nist.gov

arbitrary code execution

refuel autolabel

classification tasks

csv files

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

22.3%

JSON

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.

Affected configurations

Nvd

Node

refuelautolabelRange0.0.8≥

VendorProductVersionCPE
refuelautolabel*cpe:2.3:a:refuel:autolabel:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
refuel	autolabel	*	cpe:2.3:a:refuel:autolabel::::::::

References

hiddenlayer.com/sai-security-advisory/2024-09-autolabel/

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

22.3%

JSON

Related for NVD:CVE-2024-27320