Conda Constructor Command Injection Vulnerability

A command injection vulnerability has been identified in Conda Constructor versions through 3.11.2. The issue arises in shell installer scripts that process the installation prefix (user_prefix) using an eval statement, which executes unsanitized user input as shell code. While the script operates with user privileges and not as root, an attacker could exploit this vulnerability by injecting arbitrary commands through a malicious path during installation. Exploitation requires explicit user action, such as manually entering a harmful path, akin to self-XSS in browsers.

Impact

Exploitation allows for command injection, where an attacker can execute arbitrary commands with the user's privileges.

Reproduction

To reproduce this vulnerability, initiate the installation process with Conda Constructor versions through 3.11.2. When prompted to confirm the installation location, enter a malicious path that includes commands to be executed. The injected commands will be processed and executed due to the unsanitized input handling.

Remediation

Users should upgrade to Conda Constructor version 3.11.3 or later, where this vulnerability has been patched.