Kedro Remote Code Execution Vulnerability via Malicious Logging Configuration
Vulnerability
A critical remote code execution vulnerability has been identified in Kedro versions prior to 1.3.0. The issue arises from the logging configuration file path being set through the KEDRO_LOGGING_CONFIG environment variable, which is loaded without validation. This allows attackers to exploit the logging configuration schema's support for arbitrary callable instantiation, executing system commands during application startup. The vulnerability is caused by the unsafe handling of user-controlled input in logging configurations.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the system where Kedro is running.
Remediation
Users are advised to upgrade to Kedro version 1.3.0 or later. If an immediate upgrade is not possible, do not allow untrusted input to control the KEDRO_LOGGING_CONFIG environment variable, restrict write access to logging configuration files, avoid using externally supplied or dynamically generated logging configurations, and manually validate logging YAML to ensure it does not contain the () key.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.