Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Kedro has a path traversal in versioned dataset loading via unsanitized version string
Vulnerability Description
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intended versioned dataset directory. This is reachable through multiple entry points: catalog.load(..., version=...), DataCatalog.from_config(..., load_versions=...), and the CLI via kedro run --load-versions=dataset:../../../secrets. An attacker who can influence the version string can force Kedro to load files from outside the intended version directory, enabling unauthorized file reads, data poisoning, or cross-tenant data access in shared environments. This vulnerability is fixed in 1.3.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
Kedro 路径遍历漏洞
Vulnerability Description
Kedro是Kedro开源的一个生产就绪数据科学的工具箱。 Kedro 1.3.0之前版本存在路径遍历漏洞,该漏洞源于_get_versioned_path方法未清理用户提供的版本字符串,可能导致路径遍历和未授权文件读取。
CVSS Information
N/A
Vulnerability Type
N/A