Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Conda Constructor Command Injection via Unsanitized User Input (Low)
Vulnerability Description
(conda) Constructor is a tool which allows constructing an installer for a collection of conda packages. Prior to version 3.11.3, shell installer scripts process the installation prefix (user_prefix) using an eval statement, which executes unsanitized user input as shell code. Although the script runs with user privileges (not root), an attacker could exploit this by injecting arbitrary commands through a malicious path during installation. Exploitation requires explicit user action. This issue has been patched in version 3.11.3.
CVSS Information
CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:N
Vulnerability Type
在命令中使用的特殊元素转义处理不恰当(命令注入)
Vulnerability Title
Conda Constructor 命令注入漏洞
Vulnerability Description
Conda Constructor是Conda开源的一个从conda包创建安装程序的工具。 Conda Constructor 3.11.3之前版本存在命令注入漏洞,该漏洞源于eval语句处理安装前缀时执行未清理的用户输入,可能导致执行任意命令。
CVSS Information
N/A
Vulnerability Type
N/A