GHSA-43fp-rhv2-5gv8 · Severity: medium · Ecosystem: pip — Certifi removing TrustCor root certificate
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.
Conclusion & alert: CVE-2022-23491 is rated Moderate Risk (41.9/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.53%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.05% | 0.53% | +0.48% |
| 2 | 2025-12-25 | 0.04% | 0.05% | +0.01% |
| 3 | 2025-11-21 | — | 0.04% | — |
Full EPSS history (14 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.8 | 3.1 | MEDIUM |
|
2.3 | 4.0 | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
GHSA-43fp-rhv2-5gv8 · Severity: medium · Ecosystem: pip — Certifi removing TrustCor root certificate
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2022-23491 unimportant priority: Debian including 1 source packages (python-certifi), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 3, open 2. | https://security-tracker.debian.org/tracker/CVE-2022-23491 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2022-23491 |
suse
|
medium | CVE-2022-23491 severity moderate: SUSE including 462 source package names (1.10.1.16.4.5.328:python3-certifi-2018.1.18-150000.3.3.1, 10.1.33-openjdk11-59.4:libfreebl3-3.79.3-150400.3.23.1, …), 2160 product×package rows across 390 product lines (Container bci/bci-sle15-kernel-module-devel, Container bci/kiwi, … (390 product lines)): Fixed 1948, Known Affected 169, Known Not Affected 43. | https://www.suse.com/security/cve/CVE-2022-23491/ |
ubuntu
|
medium | CVE-2022-23491 medium priority: Ubuntu including 1 source packages (ca-certificates), 7 status rows across 7 suites (bionic, focal, jammy, kinetic, trusty, upstream, xenial): released 6, needs-triage 1. | https://ubuntu.com/security/CVE-2022-23491 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| certifi | certifi | >= 2017.11.5, < 2022.12.7 | cpe:2.3:a:certifi:certifi:*:*:*:*:*:python:*:* |
| netapp | e-series_performance_analyzer | — | cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:* |
| netapp | management_services_for_element_software | — | cpe:2.3:a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:* |
| netapp | management_services_for_netapp_hci | — | cpe:2.3:a:netapp:management_services_for_netapp_hci:-:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8 | Third Party Advisory |
| https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ | Mailing List Third Party Advisory |
| https://security.netapp.com/advisory/ntap-20230223-0010/ | Third Party Advisory |