CVE-2024-46060

HIGH EPSS 6.8%

Published Dec 17, 20256mo ago · Modified Jun 17, 20261w ago

7.8 CVSS 3.1

High

Published Dec 17, 2025 6mo ago

Last Modified Jun 17, 2026 1w ago

Description

Anaconda3 macOS installers before 2024.06-1 contain a local privilege escalation vulnerability when installed outside the user's home directory. During installation, world-writable files are created and executed with root privileges. This allows a local low-privileged user to inject arbitrary commands, leading to code execution as the root user.

CVSS Details

Base Score

7.8

Exploitability

1.8

Impact

5.9

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector Local

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

6.8% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 2

CWE-732

CWE-77 Command Injection Injection

Affected Products 2

Vendor	Product	Version	Range
anaconda	anaconda3	*	<2024.06-1
apple	macos	*	any

References 2

m8sec.dev https://m8sec.dev/blog/privilege-escalation-macos-pkg-installers/

ExploitThird Party Advisory
anaconda.com https://www.anaconda.com/docs/getting-started/anaconda/release/2024.x#anaconda-2024-06-1

Release Notes

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.