Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00M2ZwLXJodjItNWd2OM4AAwM2

Certifi removing TrustCor root certificate

Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store.

TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found here.

Permalink: https://github.com/advisories/GHSA-43fp-rhv2-5gv8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00M2ZwLXJodjItNWd2OM4AAwM2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 3 months ago

CVSS Score: 6.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N

EPSS Percentage: 0.00057
EPSS Percentile: 0.24522

Identifiers: GHSA-43fp-rhv2-5gv8, CVE-2022-23491
References:

Repository: https://github.com/certifi/python-certifi
Blast Radius: 38.2

Affected Packages

pypi:certifi

Dependent packages: 3,902
Dependent repositories: 415,524
Downloads: 518,169,854 last month
Affected Version Ranges: >= 2017.11.05, < 2022.12.07
Fixed in: 2022.12.07
All affected versions: 2017.11.5, 2018.1.18, 2018.4.16, 2018.8.13, 2018.8.24, 2018.10.15, 2018.11.29, 2019.3.9, 2019.6.16, 2019.9.11, 2019.11.28, 2020.4.5, 2020.6.20, 2020.11.8, 2020.12.5, 2021.5.30, 2021.10.8, 2022.5.18, 2022.6.15, 2022.9.14, 2022.9.24
All unaffected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 1.0.0, 1.0.1, 14.5.14, 2015.4.28, 2015.9.6, 2015.11.20, 2016.2.28, 2016.8.2, 2016.8.8, 2016.8.31, 2016.9.26, 2017.1.23, 2017.4.17, 2017.7.27, 2022.12.7, 2023.5.7, 2023.7.22, 2023.11.17, 2024.2.2, 2024.6.2, 2024.7.4, 2024.8.30