CVE-2024-39689

2024-07-0519:15:10

CWE-345

GitHub_M

web.nvd.nist.gov

certifi

root certificates

ssl

tls

trustworthiness

compliance

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

Percentile

15.8%

JSON

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from GLOBALTRUST. Certifi 2024.07.04 removes root certificates from GLOBALTRUST from the root store. These are in the process of being removed from Mozilla’s trust store. GLOBALTRUST’s root certificates are being removed pursuant to an investigation which identified “long-running and unresolved compliance issues.”

Affected configurations

Vulners

Node

certifipython_certifiRange2021.05.30–2024.07.04

VendorProductVersionCPE
certifipython_certifi*cpe:2.3:a:certifi:python_certifi:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
certifi	python_certifi	*	cpe:2.3:a:certifi:python_certifi::::::::

CNA Affected

[
  {
    "vendor": "certifi",
    "product": "python-certifi",
    "versions": [
      {
        "version": ">= 2021.05.30, < 2024.07.04",
        "status": "affected"
      }
    ]
  }
]