CVE-2022-23491: Removal of TrustCor root certificate
First published: Wed Dec 07 2022(Updated: )
An unspecified error in with TrustCor's ownership also operated a business that produced spyware in Certifi has an unknown impact and attack vector.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/certifi | >=2017.11.05<2022.12.07 | 2022.12.07 |
| IBM Cognos Analytics | <=12.0.0-12.0.4 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 | |
| Python Certifi | >=2017.11.5<2022.12.7 | |
| Certifi | >=2017.11.5<2022.12.7 | |
| netapp e-series performance analyzer | ||
| netapp management services for element software | ||
| NetApp Management Services for NetApp HCI | ||
| >=2017.11.5<2022.12.7 | ||
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/certifi/python-certifi/security/advisories/GHSA-43fp-rhv2-5gv8
- https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ
- https://github.com/certifi/python-certifi/commit/9e9e840925d7b8e76c76fdac1fab7e6e88c1c3b8
- https://nvd.nist.gov/vuln/detail/CVE-2022-23491
- https://github.com/pypa/advisory-database/tree/main/vulns/certifi/PYSEC-2022-42986.yaml
- https://github.com/advisories/GHSA-43fp-rhv2-5gv8 (Advisory)
- https://www.ibm.com/support/pages/node/7181480 (Advisory)
- https://security.netapp.com/advisory/ntap-20230223-0010
- https://security.netapp.com/advisory/ntap-20230223-0010/
Frequently Asked Questions
What is the severity of CVE-2022-23491?
The severity of CVE-2022-23491 is currently unspecified due to inadequate details about its impact and attack vector.
How do I fix CVE-2022-23491?
To mitigate CVE-2022-23491, update the Certifi package to version 2022.12.07 or later.
What software is affected by CVE-2022-23491?
CVE-2022-23491 affects Certifi versions between 2017.11.05 and 2022.12.07, as well as IBM Cognos Dashboards on Cloud Pak for Data versions up to 5.0.0.
What is the impact of the vulnerability CVE-2022-23491?
The impact of CVE-2022-23491 is unknown, but it relates to root certificates being removed from the trust store.
When was CVE-2022-23491 disclosed?
CVE-2022-23491 was disclosed on December 7, 2022.
- agent/type
- agent/weakness
- agent/title
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/description
- agent/author
- collector/github-advisory
- source/GitHub
- alias/GHSA-43fp-rhv2-5gv8
- alias/CVE-2022-23491
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/severity
- collector/ibm-support
- source/IBM
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/github-advisory-latest
- agent/last-modified-date
- agent/references
- collector/nvd-cve
- source/NVD
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- package-manager/pip
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.4
- version/ibm cognos analytics/11.2.0-11.2.4 fp4
- vendor/certifi project
- canonical/python certifi
- version/python certifi/2017.11.5
- vendor/certifi
- canonical/certifi
- version/certifi/2017.11.5
- vendor/netapp
- canonical/netapp e-series performance analyzer
- canonical/netapp management services for element software
- canonical/netapp management services for netapp hci