MEDIUM · CVSS 5.3
CVE-2024-39689 — certifi removed GLOBALTRUST CA without updating pinned certs
certifi (Python's root CA bundle) retained the GLOBALTRUST 2020 CA after its removal from Mozilla's trust store, potentially allowing certs issued by a distrusted CA to be accepted.
Affects
- certifi < 2024.07.04
What an attacker does
Python applications relied on certifi to validate TLS certificates. After Mozilla distrusted GLOBALTRUST, certifi lagged in updates; apps using outdated certifi could still accept GLOBALTRUST-issued certs.
How to detect
`pip show certifi`.
How to fix
Upgrade certifi to 2024.07.04+.
Securie findingmedium · CVSS 5.3
CVE-2024-39689How Securie catches CVE-2024-39689
Securie's Python specialist flags certifi versions.
Scan my repo for CVE-2024-39689 →Securie reviews every PR · proves real issues · opens verified fix PRs