Certifi
CVE-2024-39689
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 188 pypi packages depend on certifi (172 direct, 16 indirect)
Ecosystem-wide dependent count for version 2021.5.30.
DescriptionNVD
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from GLOBALTRUST. Certifi 2024.7.04 removes root certificates from GLOBALTRUST from the root store. These are in the process of being removed from Mozilla's trust store. GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."
AnalysisAI
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-345. Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from GLOBALTRUST. Certifi 2024.7.04 removes root certificates from GLOBALTRUST from the root store. These are in the process of being removed from Mozilla's trust store. GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues." Affected products include: Certifi, Netapp Management Services For Element Software And Netapp Hci, Netapp Ontap Select Deploy Administration Utility, Netapp Ontap Tools. Version information: prior to 2024.7.4.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verify
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verify
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today