Description

conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.47.1, the travis_encrypt_binstar_token implementation in the conda-smithy package has been identified as vulnerable to an Oracle Padding Attack. This vulnerability results from the use of an outdated and insecure padding scheme during RSA encryption. A malicious actor with access to an oracle system can exploit this flaw by iteratively submitting modified ciphertexts and analyzing responses to infer the plaintext without possessing the private key. This issue has been patched in version 3.47.1.

INFO

Published Date :

2025-06-17T20:40:02.477Z

Last Modified :

2025-06-18T15:46:26.019Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-49824 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-49824.

URL Resource
https://github.com/conda-forge/conda-smithy/blob/46a06524eeeb7f59e0969c3967ce5f700643d322/conda_smithy/ci_register.py#L447 cve-icon cve-icon
https://github.com/conda-forge/conda-smithy/commit/24cc0a55a363479e797c825be3a7f2603ef374a1 cve-icon cve-icon
https://github.com/conda-forge/conda-smithy/security/advisories/GHSA-2xf4-hg9q-m58q cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability