PyPi: Certifi

CVE-2023-37920

Safety vulnerability ID: 59956

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jul 25, 2023 Updated at Aug 30, 2024
Scan your Python projects for vulnerabilities →

Advisory

Certifi 2023.07.22 includes a fix for CVE-2023-37920: Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7

Affected package

certifi

Latest version: 2024.8.30

Python package for providing Mozilla's CA Bundle.

Affected versions

Fixed versions

Vulnerability changelog

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. See CVE-2023-37920.


MISC:https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909: https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909
MISC:https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7: https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
MISC:https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

CRITICAL 9.8

CVSS v3 Details

CRITICAL 9.8
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
HIGH
Availability Availability (A)
HIGH