CNNVD-202506-1957 Information
CNNVD ID
CNNVD-202506-1957
Related CVE
- CNNVD Published: 2025-06-17
Description (Chinese)
Conda Constructor是Conda开源的一个从conda包创建安装程序的工具。 Conda Constructor 3.11.3之前版本存在命令注入漏洞,该漏洞源于eval语句处理安装前缀时执行未清理的用户输入,可能导致执行任意命令。
Description (English)
Conda Constructor is a tool for creating an installation from the conda package, an open source of Conda. There was a gap in commands in the pre-Conda Constructor 3.11.3 version, which resulted from the execution of uncleaned user input when the eval language addressed the installation prefix, which could lead to the execution of arbitrary orders.
Hazard Level
Critical
Vulnerability Type
命令注入
Affected Vendor
Conda
Published
2025-06-17
Last Modified
2026-02-24
References
https://github.com/conda/constructor/commit/ce4c2d58cfcde2f62d038fb8aba013176c77a0b1 https://github.com/conda/constructor/security/advisories/GHSA-44q9-rg2q-5g99 https://nvd.nist.gov/vuln/detail/CVE-2025-49823 https://access.redhat.com/security/cve/cve-2025-49823
Patch
https://github.com/conda/constructor/releases
Share on: