PT-2025-25763 · Unknown · Conda-Smithy
H4Pp1N3Ss
·
Published
2025-06-17
·
Updated
2025-06-18
·
CVE-2025-49843
CVSS v4.0
2.7
Low
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
conda-smithy versions prior to 3.47.1
Description
The issue concerns a tool that combines a conda recipe with configurations for building using freely hosted CI services. Prior to version 3.47.1, a function in the repository creates files with excessive permissions, allowing unauthorized read and write access. This violates the principle of least privilege and could be exploited by an attacker to access configuration files in shared hosting environments.
Recommendations
For versions prior to 3.47.1, update to version 3.47.1 to resolve the issue. As a temporary workaround, consider restricting file permissions to the minimum necessary to prevent unauthorized access.
Exploit
Fix
Incorrect Default Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Conda-Smithy