{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-04T02:49:57.844","vulnerabilities":[{"cve":{"id":"CVE-2024-12215","sourceIdentifier":"security@huntr.dev","published":"2025-03-20T10:15:27.333","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine."},{"lang":"es","value":"En la versión 0.19.8 de kedro-org/kedro, la función de API `pull_package()` permite a los usuarios descargar y extraer micropaquetes de internet. Sin embargo, la función `project_wheel_metadata()` dentro de la ruta de código puede ejecutar el archivo `setup.py` dentro del archivo tar, lo que provoca la ejecución remota de código (RCE) mediante la ejecución de comandos arbitrarios en el equipo de la víctima."}],"metrics":{"cvssMetricV30":[{"source":"security@huntr.dev","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security@huntr.dev","type":"Secondary","description":[{"lang":"en","value":"CWE-94"}]}],"references":[{"url":"https://huntr.com/bounties/fad27503-97a4-4933-91d4-96223b8c54d8","source":"security@huntr.dev"}]}}]}