Certifi <2023.07.22: eTugra Root Certs Removed from Store
CVE-2023-37920 Published on July 25, 2023
Certifi's removal of e-Tugra root certificate
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
Vulnerability Analysis
CVE-2023-37920 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.
Weakness Type
Insufficient Verification of Data Authenticity
The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Products Associated with CVE-2023-37920
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-37920 are published in these products:
Affected Versions
python-certifi Version >= 2015.04.28, < 2023.07.22 is affected by CVE-2023-37920Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.