
We found results for “”
CVE-2024-12215
Good to know:

Date: March 20, 2025
In kedro-org/kedro version 0.19.8, the "pull_package()" API function allows users to download and extract micro packages from the Internet. However, the function "project_wheel_metadata()" within the code path can execute the "setup.py" file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.
Severity Score
Severity Score
Weakness Type (CWE)
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | REQUIRED |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |