CVE-2024-12215
published 2025-03-20CVE-2024-12215: In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the…
PriorityP355high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
0.99%
58.0th percentile
In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kedro-org | kedro | 0 – 0.19.8 | — |
| kedro-org | kedro-org_kedro | unspecified – latest | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Kedro allows Remote Code Execution by Pulling Micro Packages
osv·2025-03-20
CVE-2024-12215 [HIGH] Kedro allows Remote Code Execution by Pulling Micro Packages
Kedro allows Remote Code Execution by Pulling Micro Packages
In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.
GHSA
Kedro allows Remote Code Execution by Pulling Micro Packages
ghsa·2025-03-20
CVE-2024-12215 [HIGH] CWE-20 Kedro allows Remote Code Execution by Pulling Micro Packages
Kedro allows Remote Code Execution by Pulling Micro Packages
In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published