MEDIUM · CVSS 5.3
CVE-2024-39689 — certifi removed GLOBALTRUST CA without updating pinned certs
certifi (Python's root CA bundle) retained the GLOBALTRUST 2020 CA after its removal from Mozilla's trust store, potentially allowing certs issued by a distrusted CA to be accepted.
Affects
- certifi < 2024.07.04
What an attacker does
Python applications relied on certifi to validate TLS certificates. After Mozilla distrusted GLOBALTRUST, certifi lagged in updates; apps using outdated certifi could still accept GLOBALTRUST-issued certs.
How to detect
`pip show certifi`.
How to fix
Upgrade certifi to 2024.07.04+.
How Securie catches it
Securie's Python scanner flags certifi versions.