Search criteria
7 vulnerabilities by conda
CVE-2025-64343 (GCVE-0-2025-64343)
Vulnerability from cvelistv5 – Published: 2025-11-07 05:20 – Updated: 2025-11-07 17:24
VLAI?
Title
(conda) Constructor: Excessive permissions during and after installation
Summary
(conda) Constructor is a tool that enables users to create installers for conda package collections. In versions 3.12.2 and below, the installation directory inherits permissions from its parent directory. Outside of restricted directories, the permissions are very permissive and often allow write access by authenticated users. Any logged in user can make modifications during the installation for both single-user and all-user installations. This constitutes a local attack vector if the installation is in a directory local users have access to. For single-user installations in a shared directory, these permissions persist after the installation. This issue is fixed in version 3.13.0.
Severity ?
7.8 (High)
CWE
- CWE-289 - Authentication Bypass by Alternate Name
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| conda | constructor |
Affected:
< 3.13.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64343",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-07T17:22:38.278569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T17:24:38.228Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "constructor",
"vendor": "conda",
"versions": [
{
"status": "affected",
"version": "\u003c 3.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "(conda) Constructor is a tool that enables users to create installers for conda package collections. In versions 3.12.2 and below, the installation directory inherits permissions from its parent directory. Outside of restricted directories, the permissions are very permissive and often allow write access by authenticated users. Any logged in user can make modifications during the installation for both single-user and all-user installations. This constitutes a local attack vector if the installation is in a directory local users have access to. For single-user installations in a shared directory, these permissions persist after the installation. This issue is fixed in version 3.13.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-289",
"description": "CWE-289: Authentication Bypass by Alternate Name",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T05:20:38.659Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/conda/constructor/security/advisories/GHSA-vvpr-2qg4-2mrq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/conda/constructor/security/advisories/GHSA-vvpr-2qg4-2mrq"
},
{
"name": "https://github.com/conda/constructor/commit/c368383710a7c2b81ad1b0ecb9724b38d3577447",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda/constructor/commit/c368383710a7c2b81ad1b0ecb9724b38d3577447"
},
{
"name": "https://github.com/conda/constructor/releases/tag/3.13.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda/constructor/releases/tag/3.13.0"
}
],
"source": {
"advisory": "GHSA-vvpr-2qg4-2mrq",
"discovery": "UNKNOWN"
},
"title": "(conda) Constructor: Excessive permissions during and after installation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64343",
"datePublished": "2025-11-07T05:20:38.659Z",
"dateReserved": "2025-10-30T17:40:52.031Z",
"dateUpdated": "2025-11-07T17:24:38.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49823 (GCVE-0-2025-49823)
Vulnerability from cvelistv5 – Published: 2025-06-17 02:21 – Updated: 2025-06-17 15:52
VLAI?
Title
Conda Constructor Command Injection via Unsanitized User Input (Low)
Summary
(conda) Constructor is a tool which allows constructing an installer for a collection of conda packages. Prior to version 3.11.3, shell installer scripts process the installation prefix (user_prefix) using an eval statement, which executes unsanitized user input as shell code. Although the script runs with user privileges (not root), an attacker could exploit this by injecting arbitrary commands through a malicious path during installation. Exploitation requires explicit user action. This issue has been patched in version 3.11.3.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| conda | constructor |
Affected:
< 3.11.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49823",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T15:51:15.900223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T15:52:25.295Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "constructor",
"vendor": "conda",
"versions": [
{
"status": "affected",
"version": "\u003c 3.11.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "(conda) Constructor is a tool which allows constructing an installer for a collection of conda packages. Prior to version 3.11.3, shell installer scripts process the installation prefix (user_prefix) using an eval statement, which executes unsanitized user input as shell code. Although the script runs with user privileges (not root), an attacker could exploit this by injecting arbitrary commands through a malicious path during installation. Exploitation requires explicit user action. This issue has been patched in version 3.11.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 0,
"baseSeverity": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T02:21:17.496Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/conda/constructor/security/advisories/GHSA-44q9-rg2q-5g99",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/conda/constructor/security/advisories/GHSA-44q9-rg2q-5g99"
},
{
"name": "https://github.com/conda/constructor/commit/ce4c2d58cfcde2f62d038fb8aba013176c77a0b1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda/constructor/commit/ce4c2d58cfcde2f62d038fb8aba013176c77a0b1"
}
],
"source": {
"advisory": "GHSA-44q9-rg2q-5g99",
"discovery": "UNKNOWN"
},
"title": "Conda Constructor Command Injection via Unsanitized User Input (Low)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49823",
"datePublished": "2025-06-17T02:21:17.496Z",
"dateReserved": "2025-06-11T14:33:57.798Z",
"dateUpdated": "2025-06-17T15:52:25.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32800 (GCVE-0-2025-32800)
Vulnerability from cvelistv5 – Published: 2025-06-16 20:38 – Updated: 2025-06-17 19:03
VLAI?
Title
Conda-build vulnerable to supply chain attack vector due to pyproject.toml referring to dependencies not present in PyPI
Summary
Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the package, and then exploit pip install commands by injecting the malicious dependency in the solve. This issue has been fixed in version 25.3.0. A workaround involves using --no-deps for pip install-ing the project from the repository.
Severity ?
CWE
- CWE-1357 - Reliance on Insufficiently Trustworthy Component
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| conda | conda-build |
Affected:
< 25.3.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32800",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T19:03:28.674132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T19:03:49.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "conda-build",
"vendor": "conda",
"versions": [
{
"status": "affected",
"version": "\u003c 25.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the package, and then exploit pip install commands by injecting the malicious dependency in the solve. This issue has been fixed in version 25.3.0. A workaround involves using --no-deps for pip install-ing the project from the repository."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1357",
"description": "CWE-1357: Reliance on Insufficiently Trustworthy Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T20:38:53.100Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/conda/conda-build/security/advisories/GHSA-83gh-p93g-cwgx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/conda/conda-build/security/advisories/GHSA-83gh-p93g-cwgx"
},
{
"name": "https://github.com/conda/conda-build/commit/f5a6aeef0d5d6940b8c2a88796910dc7476a62bb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda/conda-build/commit/f5a6aeef0d5d6940b8c2a88796910dc7476a62bb"
},
{
"name": "https://drive.google.com/file/d/18qe97zxcpTn2l84187A9meGCi2Wg-n_Y/view",
"tags": [
"x_refsource_MISC"
],
"url": "https://drive.google.com/file/d/18qe97zxcpTn2l84187A9meGCi2Wg-n_Y/view"
}
],
"source": {
"advisory": "GHSA-83gh-p93g-cwgx",
"discovery": "UNKNOWN"
},
"title": "Conda-build vulnerable to supply chain attack vector due to pyproject.toml referring to dependencies not present in PyPI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32800",
"datePublished": "2025-06-16T20:38:53.100Z",
"dateReserved": "2025-04-10T12:51:12.282Z",
"dateUpdated": "2025-06-17T19:03:49.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32799 (GCVE-0-2025-32799)
Vulnerability from cvelistv5 – Published: 2025-06-16 20:23 – Updated: 2025-06-17 18:10
VLAI?
Title
Conda-build Vulnerable to Path Traversal via Malicious Tar File
Summary
Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to path traversal (Tarslip) attacks due to improper sanitization of tar entry paths. Attackers can craft tar archives containing entries with directory traversal sequences to write files outside the intended extraction directory. This could lead to arbitrary file overwrites, privilege escalation, or code execution if sensitive locations are targeted. This issue has been patched in version 25.4.0.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| conda | conda-build |
Affected:
< 25.4.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32799",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T18:10:10.155610Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T18:10:29.876Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/conda/conda-build/security/advisories/GHSA-h499-pxgj-qh5h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "conda-build",
"vendor": "conda",
"versions": [
{
"status": "affected",
"version": "\u003c 25.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to path traversal (Tarslip) attacks due to improper sanitization of tar entry paths. Attackers can craft tar archives containing entries with directory traversal sequences to write files outside the intended extraction directory. This could lead to arbitrary file overwrites, privilege escalation, or code execution if sensitive locations are targeted. This issue has been patched in version 25.4.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T20:23:02.645Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/conda/conda-build/security/advisories/GHSA-h499-pxgj-qh5h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/conda/conda-build/security/advisories/GHSA-h499-pxgj-qh5h"
},
{
"name": "https://github.com/conda/conda-build/commit/bdf5e0022cec9a0c1378cca3f2dc8c92b4834673",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda/conda-build/commit/bdf5e0022cec9a0c1378cca3f2dc8c92b4834673"
},
{
"name": "https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77ee5/conda_build/convert.py",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77ee5/conda_build/convert.py"
},
{
"name": "https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77ee5/conda_build/render.py",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77ee5/conda_build/render.py"
}
],
"source": {
"advisory": "GHSA-h499-pxgj-qh5h",
"discovery": "UNKNOWN"
},
"title": "Conda-build Vulnerable to Path Traversal via Malicious Tar File"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32799",
"datePublished": "2025-06-16T20:23:02.645Z",
"dateReserved": "2025-04-10T12:51:12.282Z",
"dateUpdated": "2025-06-17T18:10:29.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32798 (GCVE-0-2025-32798)
Vulnerability from cvelistv5 – Published: 2025-06-16 20:10 – Updated: 2025-06-17 18:11
VLAI?
Title
Conda-build Allows Arbitrary Code Execution via Malicious Recipe Selectors
Summary
Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build recipe processing logic has been found to be vulnerable to arbitrary code execution due to unsafe evaluation of recipe selectors. Currently, conda-build uses the eval function to process embedded selectors in meta.yaml files. This approach evaluates user-defined expressions without proper sanitization, which allows arbitrary code to be executed during the build process. As a result, the integrity of the build environment is compromised, and unauthorized commands or file operations may be performed. The vulnerability stems from the inherent risk of using eval() on untrusted input in a context intended to control dynamic build configurations. By directly interpreting selector expressions, conda-build creates a potential execution pathway for malicious code, violating security assumptions. This issue has been patched in version 25.4.0.
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| conda | conda-build |
Affected:
< 25.4.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32798",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T18:11:11.970277Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T18:11:27.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/conda/conda-build/security/advisories/GHSA-6cc8-c3c9-3rgr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "conda-build",
"vendor": "conda",
"versions": [
{
"status": "affected",
"version": "\u003c 25.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build recipe processing logic has been found to be vulnerable to arbitrary code execution due to unsafe evaluation of recipe selectors. Currently, conda-build uses the eval function to process embedded selectors in meta.yaml files. This approach evaluates user-defined expressions without proper sanitization, which allows arbitrary code to be executed during the build process. As a result, the integrity of the build environment is compromised, and unauthorized commands or file operations may be performed. The vulnerability stems from the inherent risk of using eval() on untrusted input in a context intended to control dynamic build configurations. By directly interpreting selector expressions, conda-build creates a potential execution pathway for malicious code, violating security assumptions. This issue has been patched in version 25.4.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T20:10:06.902Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/conda/conda-build/security/advisories/GHSA-6cc8-c3c9-3rgr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/conda/conda-build/security/advisories/GHSA-6cc8-c3c9-3rgr"
},
{
"name": "https://github.com/conda/conda-build/commit/3d87213b840774a24ab1733664d2b36664233754",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda/conda-build/commit/3d87213b840774a24ab1733664d2b36664233754"
},
{
"name": "https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77ee5/conda_build/metadata.py",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda/conda-build/blob/834448b995eee02cf1c2e7ca97bcfa9affc77ee5/conda_build/metadata.py"
}
],
"source": {
"advisory": "GHSA-6cc8-c3c9-3rgr",
"discovery": "UNKNOWN"
},
"title": "Conda-build Allows Arbitrary Code Execution via Malicious Recipe Selectors"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32798",
"datePublished": "2025-06-16T20:10:06.902Z",
"dateReserved": "2025-04-10T12:51:12.282Z",
"dateUpdated": "2025-06-17T18:11:27.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32797 (GCVE-0-2025-32797)
Vulnerability from cvelistv5 – Published: 2025-06-16 18:46 – Updated: 2025-06-17 13:57
VLAI?
Title
Conda-build Insecure Build Script Permissions Enabling Arbitrary Code Execution
Summary
Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, the write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users. Attackers with filesystem access can exploit a race condition to overwrite the script before execution, enabling arbitrary code execution under the victim's privileges. This risk is significant in shared environments, potentially leading to full system compromise. Even with non-static directory names, attackers can monitor parent directories for file creation events. The brief window between script creation (with insecure permissions) and execution allows rapid overwrites. Directory names can also be inferred via timestamps or logs, and automation enables exploitation even with semi-randomized paths by acting within milliseconds of detection. This issue has been patched in version 25.3.1. A workaround involves restricting conda_build.sh permissions from 0o766 to 0o700 (owner-only read/write/execute). Additionally, use atomic file creation (write to a temporary randomized filename and rename atomically) to minimize the race condition window.
Severity ?
CWE
- CWE-277 - Insecure Inherited Permissions
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| conda | conda-build |
Affected:
< 25.3.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32797",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T13:56:56.517803Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T13:57:44.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "conda-build",
"vendor": "conda",
"versions": [
{
"status": "affected",
"version": "\u003c 25.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, the write_build_scripts function in conda-build creates the temporary build script conda_build.sh with overly permissive file permissions (0o766), allowing write access to all users. Attackers with filesystem access can exploit a race condition to overwrite the script before execution, enabling arbitrary code execution under the victim\u0027s privileges. This risk is significant in shared environments, potentially leading to full system compromise. Even with non-static directory names, attackers can monitor parent directories for file creation events. The brief window between script creation (with insecure permissions) and execution allows rapid overwrites. Directory names can also be inferred via timestamps or logs, and automation enables exploitation even with semi-randomized paths by acting within milliseconds of detection. This issue has been patched in version 25.3.1. A workaround involves restricting conda_build.sh permissions from 0o766 to 0o700 (owner-only read/write/execute). Additionally, use atomic file creation (write to a temporary randomized filename and rename atomically) to minimize the race condition window."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-277",
"description": "CWE-277: Insecure Inherited Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T19:57:20.412Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/conda/conda-build/security/advisories/GHSA-vfp6-3v8g-vcmm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/conda/conda-build/security/advisories/GHSA-vfp6-3v8g-vcmm"
},
{
"name": "https://github.com/conda/conda-build/pull/5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda/conda-build/pull/5"
},
{
"name": "https://github.com/conda/conda-build/commit/d246e49c8f45e8033915156ee3d77769926f3c2e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda/conda-build/commit/d246e49c8f45e8033915156ee3d77769926f3c2e"
},
{
"name": "https://github.com/conda/conda-build/blob/3f06913bba22c4e1ef1065df9e00d86ac97f087c/conda_build/build.py#L3054-L3084",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/conda/conda-build/blob/3f06913bba22c4e1ef1065df9e00d86ac97f087c/conda_build/build.py#L3054-L3084"
}
],
"source": {
"advisory": "GHSA-vfp6-3v8g-vcmm",
"discovery": "UNKNOWN"
},
"title": "Conda-build Insecure Build Script Permissions Enabling Arbitrary Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32797",
"datePublished": "2025-06-16T18:46:31.227Z",
"dateReserved": "2025-04-10T12:51:12.282Z",
"dateUpdated": "2025-06-17T13:57:44.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26526 (GCVE-0-2022-26526)
Vulnerability from cvelistv5 – Published: 2022-03-17 14:57 – Updated: 2024-08-03 05:03
VLAI?
Summary
Anaconda Anaconda3 (Anaconda Distribution) through 2021.11.0.0 and Miniconda3 through 4.11.0.0 can create a world-writable directory under %PROGRAMDATA% and place that directory into the system PATH environment variable. Thus, for example, local users can gain privileges by placing a Trojan horse file into that directory. (This problem can only happen in a non-default installation. The person who installs the product must specify that it is being installed for all users. Also, the person who installs the product must specify that the system PATH should be changed.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:03:32.786Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.conda.io/en/latest/miniconda.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/continuumio/anaconda-issues/issues"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://improsec.com/tech-blog/privilege-escalation-vulnerability-in-anaconda3-and-miniconda3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://repo.anaconda.com/miniconda/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Anaconda Anaconda3 (Anaconda Distribution) through 2021.11.0.0 and Miniconda3 through 4.11.0.0 can create a world-writable directory under %PROGRAMDATA% and place that directory into the system PATH environment variable. Thus, for example, local users can gain privileges by placing a Trojan horse file into that directory. (This problem can only happen in a non-default installation. The person who installs the product must specify that it is being installed for all users. Also, the person who installs the product must specify that the system PATH should be changed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-07T13:36:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.conda.io/en/latest/miniconda.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/continuumio/anaconda-issues/issues"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://improsec.com/tech-blog/privilege-escalation-vulnerability-in-anaconda3-and-miniconda3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://repo.anaconda.com/miniconda/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-26526",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Anaconda Anaconda3 (Anaconda Distribution) through 2021.11.0.0 and Miniconda3 through 4.11.0.0 can create a world-writable directory under %PROGRAMDATA% and place that directory into the system PATH environment variable. Thus, for example, local users can gain privileges by placing a Trojan horse file into that directory. (This problem can only happen in a non-default installation. The person who installs the product must specify that it is being installed for all users. Also, the person who installs the product must specify that the system PATH should be changed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.conda.io/en/latest/miniconda.html",
"refsource": "MISC",
"url": "https://docs.conda.io/en/latest/miniconda.html"
},
{
"name": "https://github.com/continuumio/anaconda-issues/issues",
"refsource": "MISC",
"url": "https://github.com/continuumio/anaconda-issues/issues"
},
{
"name": "https://improsec.com/tech-blog/privilege-escalation-vulnerability-in-anaconda3-and-miniconda3",
"refsource": "MISC",
"url": "https://improsec.com/tech-blog/privilege-escalation-vulnerability-in-anaconda3-and-miniconda3"
},
{
"name": "https://repo.anaconda.com/miniconda/",
"refsource": "MISC",
"url": "https://repo.anaconda.com/miniconda/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26526",
"datePublished": "2022-03-17T14:57:36",
"dateReserved": "2022-03-07T00:00:00",
"dateUpdated": "2024-08-03T05:03:32.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}