CVE-2023-35845

Anaconda 3 2023.03-1-Linux allows local users to disrupt TLS certificate validation by modifying the cacert.pem file used by the installed pip program. This occurs because many files are installed as world-writable on Linux, ignoring umask, even when these files are installed as root. Miniconda is also affected.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://uponfurtherinvestigation.blogspot.com/2023/06/cve-2023-35845-anaconda3-creates.html	Exploit
https://uponfurtherinvestigation.blogspot.com/2023/06/cve-2023-35845-anaconda3-creates.html	Exploit

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:anaconda:anaconda3:2023.03-1:*:*:*:*:*:*:*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:08

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-11 08:15

Updated : 2024-11-21 08:08

NVD link : CVE-2023-35845

Mitre link : CVE-2023-35845

CVE.ORG link : CVE-2023-35845

JSON object : View

Products Affected

anaconda

anaconda3

linux

linux_kernel

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2023-35845", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2023-09-11T08:15:07.493", "references": [{"url": "https://uponfurtherinvestigation.blogspot.com/2023/06/cve-2023-35845-anaconda3-creates.html", "tags": ["Exploit"], "source": "cve@mitre.org"}, {"url": "https://uponfurtherinvestigation.blogspot.com/2023/06/cve-2023-35845-anaconda3-creates.html", "tags": ["Exploit"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "Anaconda 3 2023.03-1-Linux allows local users to disrupt TLS certificate validation by modifying the cacert.pem file used by the installed pip program. This occurs because many files are installed as world-writable on Linux, ignoring umask, even when these files are installed as root. Miniconda is also affected."}, {"lang": "es", "value": "Anaconda 3 2023.03-1-Linux permite a los usuarios locales interrumpir la validaci\u00f3n del certificado TLS modificando el archivo cacert.pem utilizado por el programa pip instalado. Esto ocurre porque muchos archivos se instalan como escritura universal en Linux, ignorando umask, incluso cuando estos archivos est\u00e1n instalados como root. Miniconda tambi\u00e9n se ve afectada."}], "lastModified": "2024-11-21T08:08:48.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:anaconda:anaconda3:2023.03-1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B52D6696-E01B-4ED4-A488-ED4136B7F785"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}