CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
22.3%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
total
An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.
[
{
"cpes": [
"cpe:2.3:a:refuel:autolabel:*:*:*:*:*:*:*:*"
],
"vendor": "refuel",
"product": "autolabel",
"versions": [
{
"status": "affected",
"version": "0.0.8",
"versionType": "semver",
"lessThanOrEqual": "*"
}
],
"defaultStatus": "unaffected"
}
]
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
22.3%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
total