CVE-2024-12215
8.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
In kedro-org/kedro version 0.19.8, the pull_package() API function allows users to download and extract micro packages from the Internet. However, the function project_wheel_metadata() within the code path can execute the setup.py file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| kedro-org | kedro-org/kedro | unspecified <= latest | affected |
Weaknesses
- CWE-94: CWE-94 Improper Control of Generation of Code
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.