CVE-2024-9701 — Kedro deserialization vulnerability

Description

A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class uses Python's shelve module to manage session data, which relies on pickle for serialization. Crafting a malicious payload and storing it in the shelve file can lead to RCE when the payload is deserialized.

How to fix CVE-2024-9701

To remediate CVE-2024-9701, upgrade the affected package to a fixed version below.

—upgrade to 0.19.9 or later

Is CVE-2024-9701 being exploited?

Moderate — EPSS is 6.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 0.19.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-9701
PATCHgithub.com/kedro-org/kedro
WEBgithub.com/kedro-org/kedro/commit/66e5e074b2789469550370f370c8b486f638d975
WEBhuntr.com/bounties/96c77fef-93b2-4d4d-8cbe-57a718d8eea5