CVE-2024-39689
Certifi removes GLOBALTRUST root certificate
In short
Certifi, a library that stores trusted root certificates for validating SSL connections, removed GLOBALTRUST root certificates due to compliance issues. This removal prevents websites using GLOBALTRUST certificates from being trusted by applications using the updated Certifi library.
Technical detail
Certifi versions 2021.5.30 through 2024.7.3 accepted GLOBALTRUST root certificates for TLS host verification. Version 2024.7.4 removed these certificates from its trust store following Mozilla's action and investigation findings of non-compliance. Applications depending on older Certifi versions or pinned to GLOBALTRUST certificates will experience certificate validation failures.
Summary generated and translated by AI from the official description.
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected products
certifi · python-certifiWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwchttps://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dIhttps://security.netapp.com/advisory/ntap-20241206-0001/