Improper Authorization Affecting conan package, versions [,2.9.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-CONAN-8400482
- published21 Nov 2024
- disclosed1 Nov 2024
- creditUnknown
Introduced: 1 Nov 2024
CVE NOT AVAILABLE CWE-285 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade conan to version 2.9.0 or higher.
Overview
conan is a Conan C/C++ package manager
Affected versions of this package are vulnerable to Improper Authorization in the server's authorization mechanism, by the check_read_conan, check_write_conan, and check_delete_conan methods in the authorize() function, as well as via authentication checks in file_downloader() and file_uploader() functions. This allows users to bypass permission checks if the package owner's username matches their own.
Note: This is exploitable only by an authenticated user who owns a package.