In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| kedro(PyPI) | 0 | N/A | N/A |
CVSS Metrics
