is botocore 1.31.21 is vulnerable to CVE-2023-37920(remove e Tugra)

[SyedNference]

https://www.cvedetails.com/cve/CVE-2023-37920/?q=CVE-2023-37920

[nateprewitt]

Hi @SyedNference,

Thanks for reaching out. The short answer is no, there isn't a feasible risk for CVE-2023-37920 in botocore 1.31.21. All of the Global Root CA certs removed in certifi 2023.07.22 are not present cacert.pem in botocore. This cert bundle is also a last resort fallback which is not used in the majority of user setups because either an installation of certifi or the AWS provided cert bundle will take precedence.

There's another layer in that the SDK will not direct to an endpoint producing a cert from these issuers without explicit configuration from the end user. I've added #2995 to prevent any noise from security scanners which should be included in the next release.