GHSA-43fp-rhv2-5gv8

Suggest an improvement
Source
https://github.com/advisories/GHSA-43fp-rhv2-5gv8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-43fp-rhv2-5gv8/GHSA-43fp-rhv2-5gv8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-43fp-rhv2-5gv8
Aliases
Published
2022-12-07T23:05:18Z
Modified
2024-09-13T18:00:58.560596Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N CVSS Calculator
  • 5.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Certifi removing TrustCor root certificate
Details

Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store.

TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found here.

References

Affected packages

PyPI / certifi

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2017.11.05
Fixed
2022.12.07

Affected versions

2017.*

2017.11.5

2018.*

2018.1.18
2018.4.16
2018.8.13
2018.8.24
2018.10.15
2018.11.29

2019.*

2019.3.9
2019.6.16
2019.9.11
2019.11.28

2020.*

2020.4.5
2020.4.5.1
2020.4.5.2
2020.6.20
2020.11.8
2020.12.5

2021.*

2021.5.30
2021.10.8

2022.*

2022.5.18
2022.5.18.1
2022.6.15
2022.6.15.1
2022.6.15.2
2022.9.14
2022.9.24