Improper Control of Generation of Code ('Code Injection') Affecting refuel-autolabel package, versions [0.0.8,]
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.05% (23rd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-REFUELAUTOLABEL-7945498
- published 13 Sep 2024
- disclosed 12 Sep 2024
- credit Leo Ring, Kasimir Schulz
Introduced: 12 Sep 2024
CVE-2024-27321 Open this link in a new tabHow to fix?
There is no fixed version for refuel-autolabel
.
Overview
refuel-autolabel is a Label, clean and enrich text datasets with LLMs
Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the validate
function of the MLCTaskValidate
class due to the handling of CSV files in multilabel classification tasks. An attacker can execute arbitrary code by crafting a malicious CSV file that contains executable Python code.