AVID-2026-R0922

Description

Vulnerability CVE-2021-42969

Details

Certain Anaconda3 2021.05 are affected by OS command injection. When a user installs Anaconda, an attacker can create a new file and write something in usercustomize.py. When the user opens the terminal or activates Anaconda, the command will be executed.

Reason for inclusion in AVID: CVE-2021-42969 describes an OS command injection in Anaconda3 2021.05 where an attacker could create usercustomize.py during install and cause command execution when the terminal is opened or Anaconda is activated. Anaconda is a widely used software stack in AI/ML workflows (environment/dependency management, data science tooling). This is a software supply-chain risk within AI tooling, with explicit code execution potential, satisfying AI relevance, GP AI supply chain involvement, and vulnerability criteria. The report provides explicit vulnerability behavior and impact.

References

• NVD entry
• https://yuaneuro.cn/anaconda/anaconda_command_execution.docx

Affected or Relevant Artifacts

• Developer: n/a
• Deployer: n/a
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-05-13
• Version: 0.3.3
• AVID Entry