9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
29.9%
Certifi is a curated collection of Root Certificates for validating the
trustworthiness of SSL certificates while verifying the identity of TLS
hosts. Certifi prior to version 2023.07.22 recognizes “e-Tugra” root
certificates. e-Tugra’s root certificates were subject to an investigation
prompted by reporting of security issues in their systems. Certifi
2023.07.22 removes root certificates from “e-Tugra” from the root store.
Author | Note |
---|---|
Priority reason: python-certifi in Debian and Ubuntu is patched to use the system CA certificates | |
mdeslaur | the python-pip package bundles python-certifi binaries when built. After updating python-certifi, a no-change rebuild of python-pip is required. |
sbeattie | python-certifi in Debian and Ubuntu is patched to use the system CA certificates |
mdeslaur | While the cacert.pem file is shipped in binary packages, it is not used in any way, the actual application is patched to use the system ca-certificates. There is a Debian bug filed to remove the cert store here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947287 |
seth-arnold | I’m marking this ‘ignored’, we don’t wish to give the impression that this certificate bundle is supported. |
github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
launchpad.net/bugs/cve/CVE-2023-37920
nvd.nist.gov/vuln/detail/CVE-2023-37920
security-tracker.debian.org/tracker/CVE-2023-37920
www.cve.org/CVERecord?id=CVE-2023-37920