CVE-2024-12215
HIGHkedro 0.19.8 - Remote Code Execution via setup.py in Micro Package Extraction
Title source: llmDescription
In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/fad27503-97a4-4933-91d4-96223b8c54d8
Scores
CVSS v3
8.8
EPSS
0.0085
EPSS Percentile
75.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (2)
kedro-org/kedro-org/kedro
unspecified - latest
pypi/kedro
0PyPI
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026