CVE-2024-39689
Certifi removes GLOBALTRUST root certificate
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."
Certifi es una colección seleccionada de certificados raíz para validar la confiabilidad de los certificados SSL mientras se verifica la identidad de los hosts TLS. Certifi a partir de 2021.05.30 y antes de 2024.07.4 reconoció los certificados raíz de `GLOBALTRUST`. Certifi 2024.07.04 elimina los certificados raíz de `GLOBALTRUST` del almacén raíz. Estos están en proceso de ser eliminados del almacén de confianza de Mozilla. Los certificados raíz de "GLOBALTRUST" se están eliminando tras una investigación que identificó "problemas de cumplimiento de larga duración y no resueltos".
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-06-27 CVE Reserved
- 2024-07-05 CVE Published
- 2024-07-06 EPSS Updated
- 2024-07-06 First Exploit
- 2024-12-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-345: Insufficient Verification of Data Authenticity
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463 | X_refsource_misc | |
| https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc | X_refsource_confirm | |
| https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI | X_refsource_misc |
| URL | Date | SRC |
|---|---|---|
| https://github.com/roy-aladin/InfraTest | 2024-07-06 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Amazon Search vendor "Amazon" | Linux Search vendor "Amazon" for product "Linux" | * | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | * | - |
Affected
| ||||||