H4Pp1N3Ss

**Name of the Vulnerable Software and Affected Versions** conda-forge-webservices versions prior to 2025.3.24 **Description** The conda-forge-webservices web app, used to run conda-forge admin commands and linting, has an issue where the conda forge webservice Docker container executes commands without specifying a user, defaulting to the root user. This increases the risk of privilege escalation and host compromise if a vulnerability is exploited. **Recommendations** For versions prior to 2025.3.24, update to version 2025.3.24 to resolve the issue. As a temporary workaround, consider configuring the Docker container to run as a non-root user until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** conda-smithy versions prior to 3.47.1 **Description** The issue concerns a tool that combines a conda recipe with configurations for building using freely hosted CI services. Prior to version 3.47.1, a function in the repository creates files with excessive permissions, allowing unauthorized read and write access. This violates the principle of least privilege and could be exploited by an attacker to access configuration files in shared hosting environments. **Recommendations** For versions prior to 3.47.1, update to version 3.47.1 to resolve the issue. As a temporary workaround, consider restricting file permissions to the minimum necessary to prevent unauthorized access.