{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39689", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-27T18:44:13.035Z", "datePublished": "2024-07-05T18:39:33.202Z", "dateUpdated": "2024-08-02T04:26:15.967Z"}, "containers": {"cna": {"title": "Certifi removes GLOBALTRUST root certificate", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc"}, {"name": "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463", "tags": ["x_refsource_MISC"], "url": "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463"}, {"name": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI", "tags": ["x_refsource_MISC"], "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI"}], "affected": [{"vendor": "certifi", "product": "python-certifi", "versions": [{"version": ">= 2021.05.30, < 2024.07.04", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-05T18:39:33.202Z"}, "descriptions": [{"lang": "en", "value": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues.\""}], "source": {"advisory": "GHSA-248v-346w-9cwc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-05T20:06:09.735041Z", "id": "CVE-2024-39689", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T20:06:22.343Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:26:15.967Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc"}, {"name": "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463"}, {"name": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39689", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-05T20:06:09.735041Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T20:06:18.262Z"}}], "cna": {"title": "Certifi removes GLOBALTRUST root certificate", "source": {"advisory": "GHSA-248v-346w-9cwc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "certifi", "product": "python-certifi", "versions": [{"status": "affected", "version": ">= 2021.05.30, < 2024.07.04"}]}], "references": [{"url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc", "name": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463", "name": "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463", "tags": ["x_refsource_MISC"]}, {"url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI", "name": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues.\""}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-05T18:39:33.202Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39689", "state": "PUBLISHED", "dateUpdated": "2024-07-05T20:06:22.343Z", "dateReserved": "2024-06-27T18:44:13.035Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-05T18:39:33.202Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues.\""}, {"lang": "es", "value": " Certifi es una colecci\u00f3n seleccionada de certificados ra\u00edz para validar la confiabilidad de los certificados SSL mientras se verifica la identidad de los hosts TLS. Certifi a partir de 2021.05.30 y antes de 2024.07.4 reconoci\u00f3 los certificados ra\u00edz de `GLOBALTRUST`. Certifi 2024.07.04 elimina los certificados ra\u00edz de `GLOBALTRUST` del almac\u00e9n ra\u00edz. Estos est\u00e1n en proceso de ser eliminados del almac\u00e9n de confianza de Mozilla. Los certificados ra\u00edz de \"GLOBALTRUST\" se est\u00e1n eliminando tras una investigaci\u00f3n que identific\u00f3 \"problemas de cumplimiento de larga duraci\u00f3n y no resueltos\"."}], "id": "CVE-2024-39689", "lastModified": "2024-07-08T15:49:22.437", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-05T19:15:10.247", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463"}, {"source": "security-advisories@github.com", "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc"}, {"source": "security-advisories@github.com", "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "python-certifi: Remove root certificates from `GLOBALTRUST` from the root store", "id": "2296020", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2296020"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-345", "details": ["Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.07.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues.\"", "A flaw was found in Certifi, a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certain versions of Certifi recognized root certificates from 'GLOBALTRUST'. However, pursuant to an investigation that identified \"long-running and unresolved compliance issues,\" GLOBALTRUST's root certificates are now removed from the root store."], "mitigation": {"lang": "en:us", "value": "This issue can be mitigated by adding the root CAs in question to /etc/pki/ca-trust/source/blacklist on RHEL 8 or /etc/pki/ca-trust/source/blocklist on RHEL 9 and running update-ca-trust.\nSee also https://www.redhat.com/sysadmin/configure-ca-trust-list."}, "name": "CVE-2024-39689", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python3x-certifi", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "python-certifi", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Not affected", "package_name": "python-certifi", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Not affected", "package_name": "python-certifi", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "python-certifi", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Not affected", "package_name": "python-certifi", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "python-certifi", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "python-certifi", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "python-certifi", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhui:4::el8", "fix_state": "Not affected", "package_name": "python-certifi", "product_name": "Red Hat Update Infrastructure 4 for Cloud Providers"}], "public_date": "2024-07-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-39689\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-39689\nhttps://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463\nhttps://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc\nhttps://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI"], "statement": "Red Hat Satellite ships an affected version of python-certifi; however, the product includes a separate CA bundle installed from RHEL with a custom product-based patch. Hence it is not using the certificates provided upstream and not affected by the flaw. Red Hat Product Security team does not foresee any impact on the confidentiality, integrity or availability of system for this product due to this flaw.", "threat_severity": "Low"}