CVE-2024-12215
📋 TL;DR
This vulnerability in kedro 0.19.8 allows remote code execution when users download micro packages via the pull_package() API. Attackers can craft malicious tar files containing setup.py scripts that execute arbitrary commands on the victim's machine. Anyone using the vulnerable kedro version with internet access to download packages is affected.
💻 Affected Systems
- kedro
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the victim's machine, allowing data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attacker executes arbitrary commands to steal sensitive data, install backdoors, or use the compromised system for further attacks.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are enforced, potentially containing the damage to isolated environments.
🎯 Exploit Status
Exploitation requires the attacker to control or compromise a package repository that the victim downloads from, or trick the victim into downloading a malicious package.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.19.9 or later
Vendor Advisory: https://github.com/kedro-org/kedro/security/advisories/GHSA-xxxx-xxxx-xxxx
Restart Required: No
Instructions:
1. Update kedro using pip: pip install --upgrade kedro>=0.19.9
2. Verify the update completed successfully
3. No restart required as this is a Python library update
🔧 Temporary Workarounds
Disable pull_package functionality
allTemporarily disable or restrict access to the pull_package() API function until patching is possible.
# Review codebase for pull_package() usage and comment out or remove calls
Use trusted package sources only
allConfigure kedro to only download packages from trusted, verified repositories.
# Configure kedro settings to restrict package sources to internal/trusted repositories
🧯 If You Can't Patch
- Implement strict network controls to prevent downloading packages from untrusted sources
- Run kedro in isolated containers or sandboxed environments with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Check kedro version: python -c "import kedro; print(kedro.__version__)" and verify if it's 0.19.8Check Version:
python -c "import kedro; print(kedro.__version__)"Verify Fix Applied:
After updating, verify version is 0.19.9 or higher: python -c "import kedro; print(kedro.__version__)"📡 Detection & Monitoring
Log Indicators:
- Unusual process execution following package downloads
- Suspicious commands in setup.py execution logs
- Failed or abnormal package extraction attempts
Network Indicators:
- Downloads from unusual or untrusted package repositories
- Unexpected outbound connections following package downloads
SIEM Query:
process.name: 'python' AND process.args: 'setup.py' AND event.action: 'execute' AND package.source NOT IN ['trusted-repo1', 'trusted-repo2']