CVE-2022-23491

Aliases:GHSA-43fp-rhv2-5gv8PYSEC-2022-42986
Advisory lineage Upstream: 0 Downstream: 10
Analyzed
Published: 07 Dec 2022, 21:15
Last modified:23 Apr 2025, 16:31

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
0.07% LOW
0% probability +0.02%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

07 Dec 2022, 21:15
Published
Vulnerability first disclosed
23 Apr 2025, 16:31
Last Modified
Vulnerability information updated

Description

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

CVSS Metrics

  • v4.0MEDIUMScore: 5.9CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
  • v3.1MEDIUMScore: 6.8CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Trends

Current EPSS score: 0.07% Percentile: 21%

Techniques & Countermeasures

  • CWE-345Insufficient Verification of Data Authenticity

    The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Affected Systems

  • certificertifi

    ≥ 2017.11.5, < 2022.12.7

  • certifipython-certifi

    < 2022.12.07

  • netappe-series_performance_analyzer

    na

  • netappmanagement_services_for_element_software

    na

  • netappmanagement_services_for_netapp_hci

    na

  • PyPIcertifi

    ≥ 2017.11.05, < 2022.12.07 | ≥ 2017.11.5, < 2022.12.7

References (8)