漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
conda-forge-ci-setup Allows Arbitrary Code Execution via Insecure Version Parsing
Vulnerability Description
conda-forge-ci-setup is a package installed by conda-forge each time a build is run on CI. The conda-forge-ci-setup-feedstock setup script is vulnerable due to the unsafe use of the eval function when parsing version information from a custom-formatted meta.yaml file. An attacker controlling meta.yaml can inject malicious code into the version assignment, which is executed during file processing, leading to arbitrary code execution. Exploitation requires an attacker to modify the recipe file by manipulating the RECIPE_DIR variable and introducing a malicious meta.yaml file. While this is more feasible in CI/CD pipelines, it is uncommon in typical environments, reducing overall risk. This vulnerability is fixed in 4.15.0.
CVSS Information
N/A
Vulnerability Type
动态执行代码中指令转义处理不恰当(Eval注入)
Vulnerability Title
conda forge ci-setup 安全漏洞
Vulnerability Description
conda forge ci-setup是conda forge社区的一个开源库。 conda forge ci-setup存在安全漏洞,该漏洞源于eval函数不安全使用,可能导致任意代码执行。
CVSS Information
N/A
Vulnerability Type
N/A