Insufficient Verification of Data Authenticity Affecting ca-certificates package, versions <0:2018.2.22-65.1.31.amzn1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-AMZN201803-CACERTIFICATES-5889421
- published 8 Sep 2023
- disclosed 25 Jul 2023
Introduced: 25 Jul 2023
CVE-2023-37920 Open this link in a new tabHow to fix?
Upgrade Amazon-Linux:2018.03 ca-certificates to version 0:2018.2.22-65.1.31.amzn1 or higher.
This issue was patched in ALAS-2023-1817.
NVD Description
Note: Versions mentioned in the description apply only to the upstream ca-certificates package and not the ca-certificates package as distributed by Amazon-Linux.
See How to fix? for Amazon-Linux:2018.03 relevant fixed versions and status.
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
References
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37920
- https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909
- https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
- https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG/