Insufficient Verification of Data Authenticity Affecting ca-certificates package, versions *
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CENTOS8-CACERTIFICATES-6055031
- published 10 Nov 2023
- disclosed 25 Jul 2023
Introduced: 25 Jul 2023
CVE-2023-37920 Open this link in a new tabHow to fix?
There is no fixed version for Centos:8 ca-certificates.
NVD Description
Note: Versions mentioned in the description apply only to the upstream ca-certificates package and not the ca-certificates package as distributed by Centos.
See How to fix? for Centos:8 relevant fixed versions and status.
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
References
- https://access.redhat.com/security/cve/CVE-2023-37920
- https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909
- https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
- https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG/