kedro 0.19.4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the kedro package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Unsafe Dependency Resolution kedro is a Kedro helps you build production-ready data and analytics pipelines Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the `pull_package` API function. An attacker can execute arbitrary commands on the victim's machine by exploiting the `project_wheel_metadata` function to execute the `setup.py` file inside the tar file. Note: This vulnerability bypasses the protections newly implemented through the `safe_extract()` function. How to fix Unsafe Dependency Resolution? Upgrade `kedro` to version 1.0.0 or higher.	[0.18.11,1.0.0)
C Deserialization of Untrusted Data kedro is a Kedro helps you build production-ready data and analytics pipelines Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper validation in the `ShelveStore` class in the `kedro.framework.session.shelvestore` module. This vulnerability allows attackers to execute arbitrary code during the deserialization process. Note: To exploit this vulnerability, an attacker would need write access to the session store files. How to fix Deserialization of Untrusted Data? Upgrade `kedro` to version 0.19.9 or higher.	[,0.19.9)

Vulnerability

Vulnerable Version

Unsafe Dependency Resolution

kedro is a Kedro helps you build production-ready data and analytics pipelines

Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the pull_package API function. An attacker can execute arbitrary commands on the victim's machine by exploiting the project_wheel_metadata function to execute the setup.py file inside the tar file.

Note:

This vulnerability bypasses the protections newly implemented through the safe_extract() function.

How to fix Unsafe Dependency Resolution?

Upgrade kedro to version 1.0.0 or higher.

[0.18.11,1.0.0)

Deserialization of Untrusted Data

kedro is a Kedro helps you build production-ready data and analytics pipelines

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper validation in the ShelveStore class in the kedro.framework.session.shelvestore module. This vulnerability allows attackers to execute arbitrary code during the deserialization process.

Note: To exploit this vulnerability, an attacker would need write access to the session store files.

How to fix Deserialization of Untrusted Data?

Upgrade kedro to version 0.19.9 or higher.

[,0.19.9)

kedro@0.19.4 vulnerabilities

Kedro helps you build production-ready data and analytics pipelines

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically