Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2024-12215
CVE-2024-12215:
Python vulnerability analysis and mitigation
Overview
In kedro-org/kedro version 0.19.8, a remote code execution vulnerability was discovered in the pull_package() API function. The vulnerability allows users to download and extract micro packages from the Internet, where the project_wheel_metadata() function within the code path can execute arbitrary commands on the victim's machine by running the setup.py file inside the tar file (NVD).
Technical details
The vulnerability is related to improper input validation (CWE-20) in the pull_package() API function. The issue stems from the execution of setup.py files within downloaded tar files through the project_wheel_metadata() function. The vulnerability has been assigned a CVSS v3.0 base score of 8.8 (HIGH) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD).
Impact
If exploited, this vulnerability can lead to remote code execution (RCE) on the victim's machine, potentially allowing attackers to execute arbitrary commands with the privileges of the application running the kedro package (NVD).
Additional resources
Source: This report was generated using AI
Related Python vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management