1. Home
  2. CVE Database
  3. CVE-2022-26526
HIGH · 7.8

CVE-2022-26526

Anaconda Anaconda3 (Anaconda Distribution) through 2021.11.0.0 and Miniconda3 through 4.11.0.0 can create a world-writable directory under %PROGRAMDATA% and place that directory into the system PATH e...

Vulnerability Description

Anaconda Anaconda3 (Anaconda Distribution) through 2021.11.0.0 and Miniconda3 through 4.11.0.0 can create a world-writable directory under %PROGRAMDATA% and place that directory into the system PATH environment variable. Thus, for example, local users can gain privileges by placing a Trojan horse file into that directory. (This problem can only happen in a non-default installation. The person who installs the product must specify that it is being installed for all users. Also, the person who installs the product must specify that the system PATH should be changed.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
AnacondaAnaconda3<= 2021.11.0.0
CondaMiniconda3<= 4.11.0.0

Related Weaknesses (CWE)

CWE-732

References

FAQ

What is CVE-2022-26526?

CVE-2022-26526 is a vulnerability with a CVSS score of 7.8 (HIGH). Anaconda Anaconda3 (Anaconda Distribution) through 2021.11.0.0 and Miniconda3 through 4.11.0.0 can create a world-writable directory under %PROGRAMDATA% and place that directory into the system PATH e...

How severe is CVE-2022-26526?

CVE-2022-26526 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-26526?

Check the references section above for vendor advisories and patch information. Affected products include: Anaconda Anaconda3, Conda Miniconda3.