Conda Build
Monthly
Conda-build versions prior to 25.3.0 are vulnerable to dependency confusion/namespace squatting attacks where an attacker can claim the unpublished 'conda-index' package on PyPI and inject malicious code that gets installed when users run pip install on conda-build projects. This is a critical supply-chain attack vector with CVSS 9.8 (CRITICAL) affecting all users who install conda-build from source or install projects that depend on it via pip, potentially compromising developer environments and CI/CD pipelines. The vulnerability is network-accessible, requires no privileges or user interaction, and provides complete system compromise (confidentiality, integrity, availability).
Conda-build versions prior to 25.4.0 are vulnerable to path traversal (Tarslip) attacks that allow unauthenticated remote attackers to write arbitrary files outside intended extraction directories by crafting malicious tar archives with directory traversal sequences. This critical vulnerability (CVSS 9.8) affects all users and systems utilizing conda-build for package compilation, with potential for privilege escalation and code execution depending on target file locations and system permissions.
Critical arbitrary code execution vulnerability in conda-build prior to version 25.4.0, where unsafe eval() function usage on meta.yaml recipe selectors allows unauthenticated remote attackers to execute arbitrary code during the package build process with no required privileges or user interaction. This vulnerability affects all users and systems using vulnerable conda-build versions to process potentially malicious or compromised recipe files, with a CVSS score of 9.8 indicating critical severity across confidentiality, integrity, and availability impacts.
A security vulnerability in Conda-build (CVSS 7.0). High severity vulnerability requiring prompt remediation. Vendor patch is available.
Conda-build versions prior to 25.3.0 are vulnerable to dependency confusion/namespace squatting attacks where an attacker can claim the unpublished 'conda-index' package on PyPI and inject malicious code that gets installed when users run pip install on conda-build projects. This is a critical supply-chain attack vector with CVSS 9.8 (CRITICAL) affecting all users who install conda-build from source or install projects that depend on it via pip, potentially compromising developer environments and CI/CD pipelines. The vulnerability is network-accessible, requires no privileges or user interaction, and provides complete system compromise (confidentiality, integrity, availability).
Conda-build versions prior to 25.4.0 are vulnerable to path traversal (Tarslip) attacks that allow unauthenticated remote attackers to write arbitrary files outside intended extraction directories by crafting malicious tar archives with directory traversal sequences. This critical vulnerability (CVSS 9.8) affects all users and systems utilizing conda-build for package compilation, with potential for privilege escalation and code execution depending on target file locations and system permissions.
Critical arbitrary code execution vulnerability in conda-build prior to version 25.4.0, where unsafe eval() function usage on meta.yaml recipe selectors allows unauthenticated remote attackers to execute arbitrary code during the package build process with no required privileges or user interaction. This vulnerability affects all users and systems using vulnerable conda-build versions to process potentially malicious or compromised recipe files, with a CVSS score of 9.8 indicating critical severity across confidentiality, integrity, and availability impacts.
A security vulnerability in Conda-build (CVSS 7.0). High severity vulnerability requiring prompt remediation. Vendor patch is available.