CNNVD-202506-2127 Information
CNNVD ID
CNNVD-202506-2127
Related CVE
- CNNVD Published: 2025-06-17
Description (Chinese)
conda-forge conda-smithy是conda-forge开源的一个用于管理康达锻造原料的工具。 conda-forge conda-smithy 3.47.1之前版本存在安全漏洞,该漏洞源于travis_headers函数创建的文件权限过高,可能导致配置文件泄露。
Description (English)
Conda-forge conda-smithy is a tool for the management of Conda-Forge ’ s raw materials. There was a security loophole in the pre-conda-forge conda-smithy 3.47.1 version, which stemmed from the excessive document privileges created by the Travis headers function, which could lead to the disclosure of the configuration file.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
conda-forge
Published
2025-06-17
Last Modified
2026-02-24
References
https://github.com/conda-forge/conda-smithy/security/advisories/GHSA-h9v8-rrqg-3m95 https://github.com/conda-forge/conda-smithy/commit/24cc0a55a363479e797c825be3a7f2603ef374a1 https://github.com/conda-forge/conda-smithy/blob/1dc21086a476f6aeb6c1bad8bf58474bf3a8f8f0/conda_smithy/ci_register.py#L109-L111 https://access.redhat.com/security/cve/cve-2025-49843 https://nvd.nist.gov/vuln/detail/CVE-2025-49843
Patch
https://github.com/conda-forge/conda-smithy/releases
Share on: