CVE-2024-27321: Refuel Autolab Eval Injection vulnerability

September 12, 2024 (updated September 20, 2024)

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.

References

github.com/advisories/GHSA-4fgp-7vvm-m4jf
github.com/refuel-ai/autolabel
github.com/refuel-ai/autolabel/blob/v0.0.16/src/autolabel/dataset/validation.py
hiddenlayer.com/sai-security-advisory/2024-09-autolabel
nvd.nist.gov/vuln/detail/CVE-2024-27321

Code Behaviors & Features

Detect and mitigate CVE-2024-27321 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →