Certifi
CVE-2022-23491
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 26 pypi packages depend on certifi (25 direct, 1 indirect)
Ecosystem-wide dependent count for version 2017.11.05.
DescriptionNVD
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
AnalysisAI
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-345. Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion. Affected products include: Certifi, Netapp E-Series Performance Analyzer, Netapp Management Services For Element Software, Netapp Management Services For Netapp Hci.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verify
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verify
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today