CVE-2022-23491: Certifi removing TrustCor root certificate
6.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.12246%
CWE
Published
12/7/2022
Updated
2/12/2025
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| certifi | pip | >= 2017.11.05, < 2022.12.07 | 2022.12.07 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability CVE-2022-23491 stems from the inclusion of TrustCor root certificates in the certifi root store, not from flaws in code logic or specific functions. The fix (commit 9e9e840) removed these certificates from the cacert.pem file, which is a static data file containing trusted CA certificates. The core functions like certifi.where() and certifi.contents() merely provide access to this bundle and are not inherently vulnerable—the risk arose from the trust placed in the removed certificates. No functions in the codebase exhibit vulnerable behavior; the issue was purely related to the inclusion of untrusted data in the certificate store.