CVE-2024-46062
Local Privilege Escalation in Miniconda3 macOS Installer
Publication date: 2025-12-17
Last updated on: 2025-12-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anaconda | miniconda | 23.11.0-1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Miniconda3 macOS installers before version 23.11.0-1 when installed outside the user's home directory. During installation, world-writable files are created and executed with root privileges. This allows a local low-privileged user to inject arbitrary commands, resulting in code execution with root (highest) privileges.
How can this vulnerability impact me? :
The vulnerability can allow a local attacker with low privileges to escalate their privileges to root by injecting arbitrary commands during the installation process. This means an attacker could gain full control over the affected system, potentially compromising system integrity, confidentiality, and availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Miniconda3 macOS installers to version 23.11.0-1 or later, and avoid installing Miniconda outside the user's home directory to prevent creation of world-writable files executed with root privileges. [1]