CVE-2024-39689 – certifi

Package

Manager: pip
Name: certifi
Vulnerable Version: >=2021.5.30 <2024.7.4

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.21233 pctl0.95461

Details

Certifi removes GLOBALTRUST root certificate Certifi 2024.07.04 removes root certificates from "GLOBALTRUST" from the root store. These are in the process of being removed from Mozilla's trust store. GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues". Conclusions of Mozilla's investigation can be found [here]( https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI).

Metadata

Created: 2024-07-05T20:06:40Z
Modified: 2025-02-13T00:44:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-248v-346w-9cwc/GHSA-248v-346w-9cwc.json
CWE IDs: ["CWE-345"]
Alternative ID: GHSA-248v-346w-9cwc
Finding: F204
Auto approve: 1