CVE-2024-9701

CVE-2024-9701 is a remote code execution (RCE) vulnerability in the Kedro ShelveStore class, specifically version 0.19.8. The flaw stems from the class's use of Python's shelve module, which relies on pickle for serialization and deserialization of session data. An attacker can craft a malicious payload that, when stored in the shelve file and subsequently deserialized, executes arbitrary Python code, as classified under CWE-502 (Deserialization of Untrusted Data).

The vulnerability can be exploited by any attacker with the ability to write a malicious payload to a shelve file used by a Kedro application employing the ShelveStore class. Upon deserialization of the payload during normal application operations, the attacker achieves RCE, potentially resulting in full system compromise depending on the application's privileges and environment.

Mitigation details are provided in the Kedro project's GitHub commit at https://github.com/kedro-org/kedro/commit/d79fa51de55ac0ccb58cce1a482df1b445f0fe7c, which addresses the issue, and further information including the bounty report is available at https://huntr.com/bounties/96c77fef-93b2-4d4d-8cbe-57a718d8eea5. Security practitioners should update to a patched version of Kedro beyond 0.19.8 and review applications using ShelveStore for exposure.