CVE-2023-37920

CWE-34510 documents8 sources
Severity
9.8CRITICAL
EPSS
0.1%
top 70.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Certifi CertifiCertifi Python-certifiFedoraproject Fedora
Timeline
PublishedJul 25
Latest updateJul 15

Description

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

PyPIcertifi2015.4.282023.7.22
NVDcertifi/certifi2015.4.282023.7.22
Debianpython-certifi< 2023.7.22-1+1
CVEListV5certifi/python-certifi>= 2015.04.28, < 2023.07.22

Also affects: Fedora 38

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
CVE-2023-37920: Certifi 20232023-08-03
GHSA
Removal of e-Tugra root certificate2023-07-25
CVEList
Certifi's removal of e-Tugra root certificate2023-07-25
OSV
Removal of e-Tugra root certificate2023-07-25
OSV
CVE-2023-37920: Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts2023-07-25

📋Vendor Advisories

4
Oracle
Oracle Oracle Communications Risk Matrix: Install (Certifi) — CVE-2023-379202024-07-15
Red Hat
python-certifi: Removal of e-Tugra root certificate2023-07-25
Microsoft
Certifi's removal of e-Tugra root certificate2023-07-11
Debian
CVE-2023-37920: python-certifi - Certifi is a curated collection of Root Certificates for validating the trustwor...2023
CVE-2023-37920 (CRITICAL CVSS 9.8) | Certifi is a curated collection of | cvebase.io