Investigate vulnerability: CVE-2023-37920 in registry.gitlab.com/arbetsformedlingen/job-ads/jobsearch-apis/jobsearch-apis:certifi
Issue created from vulnerability 94530732
Description:
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.
- Severity: high
Solution:
Upgrade certifi to 2023.7.22
Identifiers:
Links:
- https://access.redhat.com/security/cve/CVE-2023-37920
- https://github.com/certifi/python-certifi
- https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909
- https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7
- https://github.com/pypa/advisory-database/tree/main/vulns/certifi/PYSEC-2023-135.yaml
- https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG/
- https://nvd.nist.gov/vuln/detail/CVE-2023-37920
- https://www.cve.org/CVERecord?id=CVE-2023-37920
Scanner:
- Name: Trivy