CNNVD-202506-2126 Information
CNNVD ID
CNNVD-202506-2126
Related CVE
- CNNVD Published: 2025-06-17
Description (Chinese)
conda-forge conda-smithy是conda-forge开源的一个用于管理康达锻造原料的工具。 conda-forge conda-smithy 3.47.1之前版本存在信息泄露漏洞,该漏洞源于travis_encrypt_binstar_token实现存在Oracle Padding攻击风险。
Description (English)
Conda-forge conda-smithy is a tool for the management of Conda-Forge ’ s raw materials. There was a leak in the previous version of conda-forge conda-smithy 3.47.1, which stemmed from the realization of the risk of Oracle Padding attack by Travis encrypt binstar token.
Hazard Level
High
Vulnerability Type
信息泄露
Affected Vendor
conda-forge
Published
2025-06-17
Last Modified
2026-02-24
References
https://github.com/conda-forge/conda-smithy/blob/46a06524eeeb7f59e0969c3967ce5f700643d322/conda_smithy/ci_register.py#L447 https://github.com/conda-forge/conda-smithy/commit/24cc0a55a363479e797c825be3a7f2603ef374a1 https://github.com/conda-forge/conda-smithy/security/advisories/GHSA-2xf4-hg9q-m58q https://nvd.nist.gov/vuln/detail/CVE-2025-49824 https://access.redhat.com/security/cve/cve-2025-49824
Patch
https://github.com/conda-forge/conda-smithy/releases
Share on: