GHSA-rm69-wvpv-r2w7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rm69-wvpv-r2w7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-rm69-wvpv-r2w7/GHSA-rm69-wvpv-r2w7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rm69-wvpv-r2w7
- Aliases
-
- CVE-2024-12215
- Published
- 2025-03-20T12:32:42Z
- Modified
- 2025-10-15T17:31:37.829387Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Kedro allows Remote Code Execution by Pulling Micro Packages
- Details
-
In kedro-org/kedro version 0.19.8, the
pull_package()API function allows users to download and extract micro packages from the Internet. However, the functionproject_wheel_metadata()within the code path can execute thesetup.pyfile inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine. - Database specific
{ "github_reviewed": true, "nvd_published_at": "2025-03-20T10:15:27Z", "cwe_ids": [ "CWE-20", "CWE-829", "CWE-94" ], "github_reviewed_at": "2025-03-21T17:25:31Z", "severity": "HIGH" }- References
Affected packages
PyPI / kedro
Package
- Name
- kedro
- View open source insights on deps.dev
- Purl
- pkg:pypi/kedro
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected0.19.8
Affected versions
0.*
0.14.0
0.14.1
0.14.2
0.14.3
0.15.0
0.15.1
0.15.2
0.15.3
0.15.4
0.15.5
0.15.6
0.15.7
0.15.8
0.15.9
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.16.5
0.16.6
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.17.5
0.17.6
0.17.7
0.18.0
0.18.1
0.18.2
0.18.3
0.18.4
0.18.5
0.18.6
0.18.7
0.18.8
0.18.9
0.18.10
0.18.11
0.18.12
0.18.13
0.18.14
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.19.5
0.19.6
0.19.7
0.19.8