Vulnerability	Vulnerable Version
C Deserialization of Untrusted Data kedro is a Kedro helps you build production-ready data and analytics pipelines Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the `logging.config.dictConfig` function when user-controlled input is used for the logging configuration file path, which is loaded without validation. An attacker can execute arbitrary system commands by supplying a malicious logging configuration that leverages the special `()` key to instantiate arbitrary callables during application startup. How to fix Deserialization of Untrusted Data? Upgrade `kedro` to version 1.3.0 or higher.	[,1.3.0)
H Directory Traversal kedro is a Kedro helps you build production-ready data and analytics pipelines Affected versions of this package are vulnerable to Directory Traversal due to unsanitized version strings in versioned dataset path construction. The `AbstractVersionedDataset._get_versioned_path()` logic used during versioned dataset loading accepted unsafe version components, allowing an attacker to access unauthorized files outside the intended dataset directory by exploiting this vulnerability. How to fix Directory Traversal? Upgrade `kedro` to version 1.3.0 or higher.	[,1.3.0)

Deserialization of Untrusted Data

kedro is a Kedro helps you build production-ready data and analytics pipelines

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the logging.config.dictConfig function when user-controlled input is used for the logging configuration file path, which is loaded without validation. An attacker can execute arbitrary system commands by supplying a malicious logging configuration that leverages the special () key to instantiate arbitrary callables during application startup.

How to fix Deserialization of Untrusted Data?

Upgrade kedro to version 1.3.0 or higher.

[,1.3.0)

Directory Traversal

kedro is a Kedro helps you build production-ready data and analytics pipelines

Affected versions of this package are vulnerable to Directory Traversal due to unsanitized version strings in versioned dataset path construction. The AbstractVersionedDataset._get_versioned_path() logic used during versioned dataset loading accepted unsafe version components, allowing an attacker to access unauthorized files outside the intended dataset directory by exploiting this vulnerability.

How to fix Directory Traversal?

Upgrade kedro to version 1.3.0 or higher.

[,1.3.0)

Go back to all versions of this package