CVE-2026-35492

描述

### Impact PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem. Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected. ### Patches Yes. The vulnerability has been patched in kedro-datasets version 9.3.0. Users should upgrade to kedro-datasets >= 9.3.0. The fix normalizes constructed paths using `posixpath.normpath` and validates that the resolved path remains within the dataset base directory before use, raising a `DatasetError` if the path escapes the base directory. ### Workarounds Users who cannot upgrade should validate partition IDs before passing them to PartitionedDataset, ensuring they do not contain `..` path components. ### References Fix: https://github.com/kedro-org/kedro-plugins/pull/1346 Report: https://github.com/kedro-org/kedro/issues/5452

如何修補 CVE-2026-35492

要修補 CVE-2026-35492,請將受影響套件升級到下列已修補版本。

• —升級至 9.3.0 或更新版本

CVE-2026-35492 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 9.3.0

CVSS 分數