I’m new to the community so I’m not sure what to expect in terms of people being aware of developer activity. But I’m hoping to get some information about whether this even considered a bug and whether it will get fixed.
You can look up the “vulnerability” on any CVE database. I’m pretty sure it’s a bug bug I’m not sure it’s a vulnerability. Essentially, on mac or linux systems, if someone creates a “userconfig.py” file in the site.getusersitepackages() directory, the output of the code will get executed by your shell when the base environment is activated.
Because it’s listed in a CVE database with a high risk score, my infosec folks are cranky
Thank you for bringing this problem to our attention.
Can you please fill out a support request on our forum for this issue?
That way our engineering team can take a look at this issue and we can triage it.
Thanks. I have submitted a support request. I labelled it as “high” priority because I am afraid that I may be required to remove access to Anaconda for my users if I can’t address.
The CVE is in the subject of this thread: cve-2021-42969
I don’t think is is really a vulnerability since it requires the attacker to create files in your environment. If they can do that, they can replace your .bashrc with similar effect: executing code with your user’s credentials.