Conda Smithy
Monthly
Unintended write access to conda-forge feedstock repositories in conda-smithy prior to 3.61.0 allows attackers who register an abandoned or relinquished GitHub username (a username takeover) to be auto-invited as a maintainer when the conda-forge webservices route repository invitations based on mutable usernames rather than immutable user IDs. The flaw maps to CWE-284 (Improper Access Control) and impacts the conda-forge package supply chain; no public exploit identified at time of analysis, but the GitHub security advisory GHSA-g95q-3cmj-fvh8 and a fix commit are public.
Unintended write access to conda-forge feedstock repositories in conda-smithy prior to 3.61.0 allows attackers who register an abandoned or relinquished GitHub username (a username takeover) to be auto-invited as a maintainer when the conda-forge webservices route repository invitations based on mutable usernames rather than immutable user IDs. The flaw maps to CWE-284 (Improper Access Control) and impacts the conda-forge package supply chain; no public exploit identified at time of analysis, but the GitHub security advisory GHSA-g95q-3cmj-fvh8 and a fix commit are public.