GHSA-248v-346w-9cwc
LOW
Certifi removes GLOBALTRUST root certificate
Published July 5, 2024Updated February 4, 2026Source: osv
Details
Certifi 2024.07.04 removes root certificates from "GLOBALTRUST" from the root store. These are in the process of being removed from Mozilla's trust store.
GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues". Conclusions of Mozilla's investigation can be found [here]( https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI).
Remediation
Upgrade to the fixed version using your package manager.
pip
Update certifi to 2024.7.4 or laterpip install "certifi>=2024.7.4"
After upgrading, run your dependency scanner again to confirm the vulnerability is resolved.
Affected Packages (1)
| Package | Ecosystem | Affected | Fixed In |
|---|---|---|---|
| certifi | PyPI | 2021.10.8, 2021.5.30, 2022.12.7, 2022.5.18 (+11 more) | 2024.7.4 |
Vulnerability Classification
Common Weakness Enumeration (CWE) identifiers for this vulnerability type.
- CWE-345Insufficient Verification of Data AuthenticityMITRE
References
- https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwcWEB
- https://nvd.nist.gov/vuln/detail/CVE-2024-39689ADVISORY
- https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463WEB
- https://github.com/certifi/python-certifiPACKAGE
- https://github.com/pypa/advisory-database/tree/main/vulns/certifi/PYSEC-2024-230.yamlWEB
- https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dIWEB
- https://security.netapp.com/advisory/ntap-20241206-0001WEB
Risk Assessment
EPSS Score (30-day exploit probability)
21.23%
Higher than 96% of vulnerabilities
Also Known As
Check if you're affected
Scan your dependencies to see if this vulnerability affects your projects.
Scan Your Dependencies