CVE-2023-37920

Name
CVE-2023-37920
Description
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
MISC https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
MISC https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909
MISC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:kennethreitz:certifi:*:*:*:*:*:python:*:* py3-certifi >= 2015.04.28 < 2023.07.22

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
py3-certifi 3.17-main 2022.12.7-r0 Dmitry Romanenko <dmitry@romanenko.in> possibly vulnerable
py3-certifi 3.16-main 2021.10.8-r0 Dmitry Romanenko <dmitry@romanenko.in> possibly vulnerable
py3-certifi 3.15-main 2020.12.5-r1 Dmitry Romanenko <dmitry@romanenko.in> possibly vulnerable
py3-certifi 3.18-main 2023.7.22-r0 Dmitry Romanenko <dmitry@romanenko.in> fixed