Remote Code Execution Vulnerability in Kedro by QuantumBlack
CVE-2024-12215

8.8HIGH

Key Information:

Vendor: Kedro-org
Status: Kedro-org/kedro
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-12215?

A vulnerability in Kedro version 0.19.8 allows the pull_package() API function to download and extract micro packages, enabling the execution of arbitrary commands through the setup.py file in tar files. This flaw poses significant risks as it can lead to unauthorized code execution on affected machines, raising concerns about potential exploitation.

Affected Version(s)

kedro-org/kedro <= unspecified

References

https://huntr.com/bounties/fad27503-97a4-4933-91d4-96223b...

CVSS V3.0

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Dec 4, 2024

CVE-2024-12215 Data

JSON

Kedro-org

What is CVE-2024-12215?

Affected Version(s)

References

CVSS V3.0

Timeline