CVE-2024-12215 Information

Description

In kedro-org/kedro version 0.19.8 the pull_package() API function allows users to download and extract micro packages from the Internet. However the function project_wheel_metadata() within the code path can execute the setup.py file inside the tar file leading to remote code execution (RCE) by running arbitrary commands on the victim’s machine.

Reference

https://huntr.com/bounties/fad27503-97a4-4933-91d4-96223b8c54d8