Certifi 2024.07.04 removes root certificates from "GLOBALTRUST" from the root store. These are in the process of being removed from Mozilla's trust store.
GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues". Conclusions of Mozilla's investigation can be found here.
| Score | Percentile |
|---|---|
| 21.23% | 95.53% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-248v-346w-9cwc ↗ |
| CVE | CVE-2024-39689 ↗ |
| CWE id | Name |
|---|---|
| CWE-345 | Insufficient Verification of Data Authenticity |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | certifi | >= 2021.5.30, < 2024.7.4 | 2024.7.4 | — |