What is CVE-2022-23491?

CVE-2022-23491 is a medium-severity vulnerability in Certifi, classified under Insufficient Verification of Data Authenticity. CVSS score: 6.8/10. Published 2022-12-07.

How severe is CVE-2022-23491?

Medium severity. CVSS v3 base score is 6.8 out of 10.

Is CVE-2022-23491 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Certifi

CVE-2022-23491

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These…

EPSS: 0.005 (40.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.8 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N.

Affected products

Certifi
Certifi Python-certifi — versions < 2022.12.07
Netapp E-series_performance_analyzer
Netapp Management_services_for_element_software
Netapp Management_services_for_netapp_hci

Weakness classification (CWE)

CWE-345 — Insufficient Verification of Data Authenticity

Public proof-of-concept exploits

References

security-advisories@github.com (x_refsource_CONFIRM, Third Party Advisory)
security-advisories@github.com (Mailing List, Third Party Advisory, x_refsource_MISC)
af854a3a-2127-422b-91ae-364da2661108 (Third Party Advisory)

Frequently asked questions

What is CVE-2022-23491?: CVE-2022-23491 is a medium-severity vulnerability in Certifi, classified under Insufficient Verification of Data Authenticity. CVSS score: 6.8/10. Published 2022-12-07.
How severe is CVE-2022-23491?: Medium severity. CVSS v3 base score is 6.8 out of 10.
Is CVE-2022-23491 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.