CVE-2024-9701

Published: Mar 20, 2025

Modified: Mar 20, 2025

PUBLISHED

CVSS v3.0

9.8

CRITICAL

Description

A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class uses Python's shelve module to manage session data, which relies on pickle for serialization. Crafting a malicious payload and storing it in the shelve file can lead to RCE when the payload is deserialized.

Vendor	Product	Versions
kedro-org	kedro-org/kedro	affected `unspecified - < 0.19.9`

Weaknesses (CWE)

CWE-502

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://huntr.com/bounties/96c77fef-93b2-4d4d-8cbe-57a718d8eea5

https://github.com/kedro-org/kedro/commit/d79fa51de55ac0ccb58cce1a482df1b445f0fe7c

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-9701

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References