PT-2022-16025 · Certifi+4 · Certifi+4

Published

2022-12-05

Updated

2026-06-03

CVE-2022-23491

CVSS v3.1

6.8

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Certifi versions prior to 2022.12.07

Description The issue is related to the presence of TrustCor's root certificates in the list of root certificates, which has been removed due to TrustCor's involvement in producing spyware. This removal is part of an investigation prompted by media reports. The exploitation of this issue may allow an attacker to compromise any checks based on digital signatures.

Recommendations For Certifi versions prior to 2022.12.07, disable bundled Trustcor root certificate signatures generated after Wednesday, November 30, 2022.

Exploit

Fix

Insufficient Verification of Data Authenticity

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345

Related Identifiers

ALT-PU-2023-8446

ALT-PU-2024-17878

CVE-2022-23491

ECHO-2096-02CB-109F

GHSA-43FP-RHV2-5GV8

MGASA-2023-0140

OESA-2023-1457

OPENSUSE-SU-2023_0119-1

OPENSUSE-SU-2023_0139-1

OPENSUSE-SU-2024:13237-1

PYSEC-2022-42986

RHSA-2025:9775

SUSE-SU-2023:0118-1

SUSE-SU-2023:0119-1

SUSE-SU-2023:0130-1

SUSE-SU-2023:0139-1

SUSE-SU-2023_0118-1

SUSE-SU-2023_0119-1

SUSE-SU-2023_0130-1

SUSE-SU-2023_0139-1

USN-5761-1

USN-5761-2

Affected Products

Alt Linux

Certifi

Debian

Red Os

Suse

PT-2022-16025 · Certifi+4 · Certifi+4

CVE-2022-23491

Weakness Enumeration

Related Identifiers

Affected Products

References · 50