Vulnerabilities > CVE-2024-27320 - Improper Neutralization of Formula Elements in a CSV File vulnerability in Refuel Autolabel

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

refuel

CWE-1236

NVD

Published: 2024-09-12

Updated: 2024-09-23

Summary

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.

Vulnerable Configurations

Part	Description	Count
Application	Refuel Refuel Autolabel *	1

Common Weakness Enumeration (CWE)

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

References

https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel/