Improper Authorization Affecting conan package, versions [,2.9.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improper Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-CONAN-8400482
- published21 Nov 2024
- disclosed1 Nov 2024
- creditUnknown
Introduced: 1 Nov 2024
CVE NOT AVAILABLE CWE-285 (opens in a new tab)How to fix?
Upgrade conan to version 2.9.0 or higher.
Overview
conan is a Conan C/C++ package manager
Affected versions of this package are vulnerable to Improper Authorization in the server's authorization mechanism, by the check_read_conan, check_write_conan, and check_delete_conan methods in the authorize() function, as well as via authentication checks in file_downloader() and file_uploader() functions. This allows users to bypass permission checks if the package owner's username matches their own.
Note: This is exploitable only by an authenticated user who owns a package.