CVE-2024-12215
Remote Code Execution in kedro-org/kedro
In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Productos afectados
kedro-org · kedro-org/kedro¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →