Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.
Kedro loads the logging configuration file specified by the KEDRO_LOGGING_CONFIG environment variable without any validation of its contents. The logging.config.dictConfig() function supports a special '()' key that allows instantiation of arbitrary callable objects. An attacker can provide a crafted configuration file containing this key, leading to deserialization of untrusted data and execution of arbitrary system commands at application startup. The vulnerability results from a combination of two weaknesses: lack of input validation (CWE-94) and unsafe deserialization (CWE-502).
An attacker can execute arbitrary code on the server with Kedro process privileges during its startup, leading to full system compromise, data exfiltration, and potential lateral movement within the network.
Kedro should be updated to version 1.3.0 or newer, where the vulnerability has been fixed. Additionally, it is recommended to audit environments for unauthorized modifications of the KEDRO_LOGGING_CONFIG environment variable and restrict the ability to set environment variables by unauthorized parties.
Kedro (Linux Foundation project) in all versions before 1.3.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLinuxfoundation Kedro
APPLinuxfoundation< 1.3.0
Related vulnerabilities
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedr...
containerd is an open-source container runtime. In versions prior to 1.7.33, 2.3.2, 2.2.5, 2.1.9, and 2.0.10 t...
CloudNativePG: eskalacja uprawnień do superużytkownika PostgreSQL przez metrics exporter
AGL app-framework-main: Zip Slip + TOCTOU umożliwiają zapis dowolnych plików
Spinnaker Echo: nieograniczony dostęp SPeL umożliwia RCE