CVE 2021-42969: anyone fixing?

I’m new to the community so I’m not sure what to expect in terms of people being aware of developer activity. But I’m hoping to get some information about whether this even considered a bug and whether it will get fixed.

You can look up the “vulnerability” on any CVE database. I’m pretty sure it’s a bug bug I’m not sure it’s a vulnerability. Essentially, on mac or linux systems, if someone creates a “userconfig.py” file in the site.getusersitepackages() directory, the output of the code will get executed by your shell when the base environment is activated.

Because it’s listed in a CVE database with a high risk score, my infosec folks are cranky

Helo ejon,

Thank you for bringing this problem to our attention.

Can you please fill out a support request on our forum for this issue?
That way our engineering team can take a look at this issue and we can triage it.

Thank you!

Thanks. I have submitted a support request. I labelled it as “high” priority because I am afraid that I may be required to remove access to Anaconda for my users if I can’t address.

@ejon Could you please specify the fix version or issue details.

@sweller Could you please specify the fix version or issue details?

What is the ticket number for the support request you filled out?

Also, do you have a corresponding CVE number for this issue? That will be helpful here.

I don’t think I got a ticket number. At the time we weren’t paid users. I got an email response from Henna Malik saying I could follow Disable user site-packages during de[activation] by jjhelmus · Pull Request #12438 · conda/conda · GitHub for updates but it’s not clear that PR is related.

The CVE is in the subject of this thread: cve-2021-42969

I don’t think is is really a vulnerability since it requires the attacker to create files in your environment. If they can do that, they can replace your .bashrc with similar effect: executing code with your user’s credentials.