CVE-2023-37920

2023-07-2500:00:00

ubuntu.com

certifi

root certificates

ssl

tls

validation

trustworthiness

security issues

investigation

removal

python-certifi

debian

ubuntu

python-pip

binary packages

ca certificates

system

patched

cacert.pem

bug

ignored

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

29.9%

JSON

Certifi is a curated collection of Root Certificates for validating the
trustworthiness of SSL certificates while verifying the identity of TLS
hosts. Certifi prior to version 2023.07.22 recognizes “e-Tugra” root
certificates. e-Tugra’s root certificates were subject to an investigation
prompted by reporting of security issues in their systems. Certifi
2023.07.22 removes root certificates from “e-Tugra” from the root store.

Notes

Author	Note
	Priority reason: python-certifi in Debian and Ubuntu is patched to use the system CA certificates
mdeslaur	the python-pip package bundles python-certifi binaries when built. After updating python-certifi, a no-change rebuild of python-pip is required.
sbeattie	python-certifi in Debian and Ubuntu is patched to use the system CA certificates
mdeslaur	While the cacert.pem file is shipped in binary packages, it is not used in any way, the actual application is patched to use the system ca-certificates. There is a Debian bug filed to remove the cert store here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947287
seth-arnold	I’m marking this ‘ignored’, we don’t wish to give the impression that this certificate bundle is supported.