CVE-2024-9701

Source
https://cve.org/CVERecord?id=CVE-2024-9701
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-9701.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-9701
Aliases
Published
2025-03-20T10:10:05.630Z
Modified
2026-07-08T07:12:21.798585243Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Remote Code Execution in kedro-org/kedro
Details

A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class uses Python's shelve module to manage session data, which relies on pickle for serialization. Crafting a malicious payload and storing it in the shelve file can lead to RCE when the payload is deserialized.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/9xxx/CVE-2024-9701.json",
    "cna_assigner": "@huntr_ai",
    "cwe_ids": [
        "CWE-502"
    ]
}
References

Affected packages

Git / github.com/kedro-org/kedro

Affected ranges

Type
GIT
Repo
https://github.com/kedro-org/kedro
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.19.9"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-9701.json"