CVE-2022-26526

Name of the Vulnerable Software and Affected Versions Anaconda3 versions through 2021.11.0.0 Miniconda3 versions through 4.11.0.0

Description The issue allows local users to gain privileges by placing a Trojan horse file into a world-writable directory under %PROGRAMDATA% that is added to the system PATH environment variable. This problem can only occur in non-default installations where the product is installed for all users and the system PATH is changed.

Recommendations For Anaconda3 versions through 2021.11.0.0, avoid installing the product for all users or modifying the system PATH to prevent exploitation. For Miniconda3 versions through 4.11.0.0, consider restricting access to the world-writable directory under %PROGRAMDATA% until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.