MEDIUM🇵🇱 Wersja polska

CVE-2025-32799

CVSS 5.6v4.0pub. 2025-06-16upd. 2025-07-02

Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to path traversal (Tarslip) attacks due to improper sanitization of tar entry paths. Attackers can craft tar archives containing entries with directory traversal sequences to write files outside the intended extraction directory. This could lead to arbitrary file overwrites, privilege escalation, or code execution if sensitive locations are targeted. This issue has been patched in version 25.4.0.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Anaconda Conda Build

    APP
    Anaconda
    < 25.4.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath TraversalLPE
CWE
References

Related vulnerabilities

CVE-2025-32798HIGH8.2ten sam produkt

Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build reci...

CVE-2025-32800HIGH7.2ten sam produkt

Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml l...

CVE-2025-32797MEDIUM6.0ten sam produkt

Conda-build contains commands and tools to build conda packages. Prior to version 25.3.1, the write_build_scri...

CVE-2021-42343CRITICAL9.8ten sam vendor

An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clust...

CVE-2024-46060HIGH7.8ten sam vendor

Anaconda3 macOS installers before 2024.06-1 contain a local privilege escalation vulnerability when installed ...