Certifi removes GLOBALTRUST root certificate

Description

Certifi 2024.07.04 removes root certificates from "GLOBALTRUST" from the root store. These are in the process of being removed from Mozilla's trust store.

GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues". Conclusions of Mozilla's investigation can be found here.

Basic information

Type
reviewed
Severity
low
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2024-07-05 20:06:40 UTC
Updated
2025-02-13 00:44:20 UTC
GitHub reviewed
2024-07-05 20:06:40 UTC
NVD published
2024-07-05

EPSS Score

Score Percentile
21.23% 95.53%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-345 Insufficient Verification of Data Authenticity

Credits

  • Kwpolska (analyst)
  • pcreager23 (analyst)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip certifi >= 2021.5.30, < 2024.7.4 2024.7.4

References

cvelogic Threat Intelligence