SCA: security update for kedro (GHSA-747f-ww56-4q4h)

critical Tenable Self-Hosted Container Security Plugin ID 421174

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version
0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of
malicious payloads, potentially leading to a full system compromise. The ShelveStore class uses Python's
shelve module to manage session data, which relies on pickle for serialization. Crafting a malicious
payload and storing it in the shelve file can lead to RCE when the payload is deserialized.
(CVE-2024-9701)

Solution

Update the kedro library and its related packages to version 0.19.9 or later.

See Also

https://github.com/advisories/GHSA-747f-ww56-4q4h

Plugin Details

Severity: Critical

ID: 421174

Version: Revision 1.17

Type: Local

Family: SCA Checks

Published: 3/21/2025

Updated: 7/6/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.75

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-9701

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/20/2025

Vulnerability Publication Date: 3/20/2025

Reference Information

CVE: CVE-2024-9701

cwe: CWE-502