FKIE_CVE-2024-39689

Vulnerability from fkie_nvd - Published: 2024-07-05 19:15 - Updated: 2025-02-15 00:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."
References
security-advisories@github.comhttps://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463Patch
security-advisories@github.comhttps://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwcVendor Advisory
security-advisories@github.comhttps://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dIMailing List
af854a3a-2127-422b-91ae-364da2661108https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwcVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dIMailing List
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20241206-0001/Third Party Advisory
Impacted products
Vendor Product Version
certifi certifi *
netapp management_services_for_element_software_and_netapp_hci -
netapp ontap_select_deploy_administration_utility -
netapp ontap_tools 10
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:certifi:certifi:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "BCBAE7B1-6D3F-435F-9917-28DE8A8DA0B1",
              "versionEndExcluding": "2024.7.4",
              "versionStartIncluding": "2021.5.30",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "FDAC85F0-93AF-4BE3-AE1A-8ADAF1CDF9AB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "E7CF3019-975D-40BB-A8A4-894E62BD3797",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:ontap_tools:10:*:*:*:*:vmware_vsphere:*:*",
              "matchCriteriaId": "5333B745-F7A3-46CB-8437-8668DB08CD6F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla\u0027s trust store. `GLOBALTRUST`\u0027s root certificates are being removed pursuant to an investigation which identified \"long-running and unresolved compliance issues.\""
    },
    {
      "lang": "es",
      "value": " Certifi es una colecci\u00f3n seleccionada de certificados ra\u00edz para validar la confiabilidad de los certificados SSL mientras se verifica la identidad de los hosts TLS. Certifi a partir de 2021.05.30 y antes de 2024.07.4 reconoci\u00f3 los certificados ra\u00edz de `GLOBALTRUST`. Certifi 2024.07.04 elimina los certificados ra\u00edz de `GLOBALTRUST` del almac\u00e9n ra\u00edz. Estos est\u00e1n en proceso de ser eliminados del almac\u00e9n de confianza de Mozilla. Los certificados ra\u00edz de \"GLOBALTRUST\" se est\u00e1n eliminando tras una investigaci\u00f3n que identific\u00f3 \"problemas de cumplimiento de larga duraci\u00f3n y no resueltos\"."
    }
  ],
  "id": "CVE-2024-39689",
  "lastModified": "2025-02-15T00:15:13.183",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-07-05T19:15:10.247",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List"
      ],
      "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20241206-0001/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-345"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-345"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.