CVE-2021-3840

Name of the Vulnerable Software and Affected Versions Antilles versions prior to 1.0.1

Description A dependency confusion issue allows for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index (PyPi). This is classified as an Uncontrolled Search Path Element, where a private package dependency may be replaced by an unauthorized package of the same name published to a well-known public repository such as PyPi. The configuration has been updated to only install components built by Antilles, removing all other public package indexes, and the antilles-tools dependency has been published to PyPi.

Recommendations Update to version 1.0.1 or later as a precautionary measure, and remove previous versions of Antilles.