Miggo Logo
Miggo Vulnerability Database
CVE-2022-23491

CVE-2022-23491: Certifi removing TrustCor root certificate

6.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-23491
GHSA ID
GHSA-43fp-rhv2-5gv8
EPSS Score
0.12246%
CWE
CWE-345
Published
12/7/2022
Updated
2/12/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
certifipip>= 2017.11.05, < 2022.12.072022.12.07

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2022-23491 stems from the inclusion of TrustCor root certificates in the certifi root store, not from flaws in code logic or specific functions. The fix (commit 9e9e840) removed these certificates from the cacert.pem file, which is a static data file containing trusted CA certificates. The core functions like certifi.where() and certifi.contents() merely provide access to this bundle and are not inherently vulnerable—the risk arose from the trust placed in the removed certificates. No functions in the codebase exhibit vulnerable behavior; the issue was purely related to the inclusion of untrusted data in the certificate store.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**rti*i ****.**.** r*mov*s root **rti*i**t*s *rom "Trust*or" *rom t** root stor*. T**s* *r* in t** pro**ss o* **in* r*mov** *rom Mozill*'s trust stor*. Trust*or's root **rti*i**t*s *r* **in* r*mov** pursu*nt to *n inv*sti**tion prompt** *y m**i* r*p

Reasoning

T** vuln*r**ility *V*-****-***** st*ms *rom t** in*lusion o* Trust*or root **rti*i**t*s in t** **rti*i root stor*, not *rom *l*ws in *o** lo*i* or sp**i*i* *un*tions. T** *ix (*ommit *******) r*mov** t**s* **rti*i**t*s *rom t** `****rt.p*m` *il*, w*i