CVE Vulnerability

CVE-2022-23491

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ Mailing List Third Party Advisory
https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:certifi_project:certifi:*:*:*:*:*:*:*:*
Information

Published : 2022-12-07 10:15

Updated : 2022-12-23 05:00

NVD link : CVE-2022-23491

Mitre link : CVE-2022-23491

Products Affected
No products.
CWE
CWE-345