CVE-2024-9701

Name of the Vulnerable Software and Affected Versions Kedro version 0.19.8

Description A Remote Code Execution (RCE) issue has been identified, allowing an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class uses Python's shelve module to manage session data, which relies on pickle for serialization. Crafting a malicious payload and storing it in the shelve file can lead to RCE when the payload is deserialized.

Recommendations For version 0.19.8, consider disabling the use of the ShelveStore class until a patch is available, or restrict access to the shelve file to minimize the risk of exploitation. As a temporary workaround, avoid using the pickle module for serialization in the ShelveStore class.