CVE-2023-37920

Name: CVE-2023-37920
Creator: NVD / NIST
Published: 2023-07-25T21:15:10.827+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 0.47%

Last modified Jun 17, 2026

CVE-2023-37920 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. EPSS estimates a 0.47% chance of exploitation in the next 30 days.

Description

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.47%

37.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Certifi	Certifi	>= 2015.4.28, < 2023.7.22
Fedoraproject	Fedora	38
Netapp	Active Iq Unified Manager	All versions
Netapp	Management Services For Element Software	All versions
Netapp	Management Services For Netapp Hci	All versions
Netapp	Ontap Mediator	All versions
Netapp	Ontap Select Deploy Administration Utility	All versions
Netapp	Solidfire \& Hci Storage Node	All versions

References

https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909Patch
https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7Vendor Advisory
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1AMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG/Mailing List
https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909Patch
https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7Vendor Advisory
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1AMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG/Mailing List
https://security.netapp.com/advisory/ntap-20240912-0002/Third Party Advisory

Timeline

Published: Jul 25, 2023
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2023-37920?

How severe is CVE-2023-37920?

CVE-2023-37920 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 0.47% probability of exploitation in the next 30 days.

How do I fix CVE-2023-37920?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-37920?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST