Vulnerability Name:

CVE-2022-23491 (CCN-241627)

Assigned:2022-12-07
Published:2022-12-07
Updated:2023-03-24
Summary:An unspecified error in with TrustCor's ownership also operated a business that produced spyware in Certifi has an unknown impact and attack vector.
CVSS v3 Severity:6.8 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)
5.9 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
6.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N)
5.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): None
Vulnerability Consequences:Unknown
References:Source: MITRE
Type: CNA
CVE-2022-23491

Source: XF
Type: UNKNOWN
certifi-cve202223491-unspecified(241627)

Source: CCN
Type: python-certifi GIT Repository
Removal of TrustCor root certificate

Source: security-advisories@github.com
Type: Third Party Advisory
security-advisories@github.com

Source: security-advisories@github.com
Type: Mailing List, Third Party Advisory
security-advisories@github.com

Source: CCN
Type: IBM Security Bulletin 6855127 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Certifi

Source: CCN
Type: IBM Security Bulletin 6857265 (Spectrum Protect Plus File Systems Agent)
Vulnerabilities in Certifi, Setuptools and Python may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-23491, CVE-2022-40897, CVE-2022-45061)

Source: CCN
Type: IBM Security Bulletin 6858005 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to [CVE-2022-23491]

Source: CCN
Type: IBM Security Bulletin 6890731 (Robotic Process Automation)
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.

Source: CCN
Type: IBM Security Bulletin 6955071 (Cloud Pak for Network Automation)
IBM Cloud Pak for Network Automation v2.4.3 addresses multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6956311 (Cloud Pak for Multicloud Management)
Multiple Vulnerabilities in Multicloud Management Security Services

Source: CCN
Type: IBM Security Bulletin 6958452 (QRadar User Behavior Analytics)
Certifi package as used by IBM QRadar User Behavior Analytics is vulnerable to improper certificate validation (CVE-2022-23491)

Source: CCN
Type: IBM Security Bulletin 6965352 (Spectrum Protect Plus Container Agent)
Vulnerabilities in Pypa Setuptools, Golang Go, OpenSSH, Minio and Certifi may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift

Source: CCN
Type: IBM Security Bulletin 6967012 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOPs

Source: CCN
Type: IBM Security Bulletin 6967641 (Watson Speech Services Cartridge for Cloud Pak for Data)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to errors in TrustCor (CVE-2022-23491)

Source: CCN
Type: IBM Security Bulletin 7003205 (Integrated Analytics System)
Vulnerability in certifi-2018.4.16 affects IBM Integrated Analytics System [ CVE-2022-23491]

Source: CCN
Type: IBM Security Bulletin 7003817 (Storage Scale)
A vulnerability in Certifi package may affect IBM Storage Scale (CVE-2022-23491)

Source: CCN
Type: IBM Security Bulletin 7004653 (Cloud Pak for Security)
IBM Cloud Pak for Security includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7005455 (Spectrum Discover)
IBM Spectrum Discover is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7010041 (Watson Assistant for Cloud Pak for Data)
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable an unspecified vulnerability in Certifi ( CVE-2022-23491)

Source: CCN
Type: IBM Security Bulletin 7015803 (Cloud Pak for Data System)
Vulnerability in certifi-2018.4.16-py2.py3 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2022-23491]

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:kennethreitz:certifi:2022.09.24:*:*:*:*:python:*:*
  • OR cpe:/a:kennethreitz:certifi:2017.11.05:*:*:*:*:python:*:*
  • AND
  • cpe:/a:ibm:qradar_user_behavior_analytics:1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:21.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:robotic_process_automation:23.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:6.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7591
    P
    		libfreebl3-3.79.4-150400.3.29.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7769
    P
    		python3-certifi-2018.1.18-150000.3.3.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:51982
    P
    		Security update for python-certifi (Important)
    2023-01-25
    oval:org.opensuse.security:def:51981
    P
    		Security update for mozilla-nss (Important)
    2023-01-20
    BACK
    kennethreitz certifi 2022.09.24
    kennethreitz certifi 2017.11.05
    ibm qradar user behavior analytics 1.0.0
    ibm robotic process automation 21.0.1
    ibm app connect enterprise certified container 4.1
    ibm app connect enterprise certified container 4.2
    ibm cloud pak for security 1.10.0.0
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2
    ibm app connect enterprise certified container 6.0
    ibm app connect enterprise certified container 6.1
    ibm robotic process automation 21.0.7
    ibm robotic process automation 23.0.0
    ibm app connect enterprise certified container 6.2