Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Conda-build vulnerable to supply chain attack vector due to pyproject.toml referring to dependencies not present in PyPI
Vulnerability Description
Conda-build contains commands and tools to build conda packages. Prior to version 25.3.0, the pyproject.toml lists conda-index as a Python dependency. This package is not published in PyPI. An attacker could claim this namespace and upload arbitrary (malicious) code to the package, and then exploit pip install commands by injecting the malicious dependency in the solve. This issue has been fixed in version 25.3.0. A workaround involves using --no-deps for pip install-ing the project from the repository.
CVSS Information
N/A
Vulnerability Type
CWE-1357
Vulnerability Title
Conda-build 安全漏洞
Vulnerability Description
Conda-build是Conda开源的一个用于构建conda包的命令和工具。 Conda-build 25.3.0之前版本存在安全漏洞,该漏洞源于pyproject.toml中列出了未发布的依赖项,可能导致恶意代码注入。
CVSS Information
N/A
Vulnerability Type
N/A