GHSA-rm69-wvpv-r2w7

Опубликовано: 20 мар. 2025

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

Kedro allows Remote Code Execution by Pulling Micro Packages

In kedro-org/kedro version 0.19.8, the pull_package() API function allows users to download and extract micro packages from the Internet. However, the function project_wheel_metadata() within the code path can execute the setup.py file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.

Ссылки

Пакеты

Наименование

kedro

pip

Затронутые версииВерсия исправления

<= 0.19.8

Отсутствует

EPSS

Процентиль: 67%

0.0053

Низкий

8.8 High

CVSS3

CVE ID

CVE-2024-12215

Дефекты

CWE-20

CWE-829

CWE-94

Связанные уязвимости

CVE-2024-12215

CVSS3: 8.8

nvd

11 месяцев назад

In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.

EPSS

Процентиль: 67%

0.0053

Низкий

8.8 High

CVSS3

CVE ID

CVE-2024-12215

Дефекты

CWE-20

CWE-829

CWE-94