CVE-2023-35845: 
Anaconda vulnerability analysis and mitigation

Anaconda 3 2023.03-1-Linux contains a security vulnerability that allows local users to disrupt TLS certificate validation by modifying the cacert.pem file used by the installed pip program. This occurs because many files are installed as world-writable on Linux, ignoring umask, even when these files are installed as root. Miniconda is also affected. The vulnerability was discovered in June 2023 and assigned CVE-2023-35845 (NVD).

During installation, Anaconda3 creates numerous world-writable files, including the cacert.pem file used by the python certify module under the pip installation. Since certify provides the trusted root certificate authorities, any manipulation of these files could allow untrusted content to pass through SSL connections via Man-in-the-middle attacks. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (Investigation Blog).

The primary impact is the potential disruption of TLS certificate validation. If exploited, an attacker could manipulate the cacert.pem file to bypass SSL certificate verification, potentially enabling man-in-the-middle attacks. This could lead to the compromise of secure communications for applications using the affected pip installation (Investigation Blog).

As a temporary mitigation, users can strip all 'other' write permissions from their Anaconda3 installation directory after any installation or update by running: 'find $HOME/anaconda3 -type f -perm /0002 -exec chmod o-w {} ;'. Additionally, upgrading the pip package packaged with Anaconda appears to fix the world-writable cacert.pem file issue (Investigation Blog).