Improper Access Control

CVE-2025-31484

High

9.3/10

Summary

conda-forge infrastructure holds common configurations and settings for key pieces of the conda-forge infrastructure. Between 2025-02-10 and 2025-04-01, conda-forge infrastructure used the wrong token for Azure's cf-staging access. This bug meant that any feedstock maintainer could upload a package to the conda-forge channel, bypassing our feedstock-token + upload process. The security logs on anaconda.org were check for any packages that were not copied from the cf-staging to the conda-forge channel and none were found.

Attack Complexity: LOW
Attack Vector: NETWORK
User Interaction: NONE
Privileges Required: NONE

CWE-284 - Improper Access Control

Listed 5th in the 'OWASP Top Ten', improper (or broken) access control attacks are a fundamental type of vulnerability. This includes a broad range of design flaws that enable users to act outside of their intended permissions. They can use these privileges to gain access to restricted files and functionality such as accessing restricted information, falsifying records, destroying data, or executing commands.

References

Advisory Timeline

Published Apr 02, 2025

Improper Access Control

CVE-2025-31484

Summary

CWE-284 - Improper Access Control

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS