CVE-2024-39689
Published: 05 July 2024
Summary
CVE-2024-39689 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Certifi Certifi. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Certifi is a Python package that supplies a curated bundle of root certificates used to validate TLS connections. Versions from 2021.5.30 through 2024.7.3 included the GLOBALTRUST root certificates in the trust store; these roots were removed in 2024.7.4. The inclusion allowed any certificate chain anchored to GLOBALTRUST to be treated as trustworthy during hostname verification, corresponding to CWE-345 insufficient verification of data authenticity and carrying a CVSS 3.1 score of 7.5.
An unauthenticated network attacker can exploit the flaw by presenting a TLS certificate signed by GLOBALTRUST. Because the affected Certifi bundle still recognizes that root, client software using the bundle will accept the certificate, enabling the attacker to intercept or modify traffic without triggering validation failures and thereby achieving high integrity impact.
The GitHub Security Advisory GHSA-248v-346w-9cwc and the associated commit bd81538 document the removal of the GLOBALTRUST roots, aligning with Mozilla’s earlier decision to distrust the same roots because of unresolved compliance issues. Users are advised to upgrade to Certifi 2024.7.4 or later.
The EPSS score for this CVE currently stands at 0.2581 with a recorded peak of 0.2630.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2220
Vulnerability details
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes root certificates…
more
from `GLOBALTRUST` from the root store. These are in the process of being removed from Mozilla's trust store. `GLOBALTRUST`'s root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.
Use of approved PKI certificates provides verifiable data authenticity and origin for communications and artifacts.
Mandates provision of authenticity and integrity artifacts that enable verification of name/address resolution data.
Requires explicit verification of data authenticity from authoritative sources, preventing acceptance of unauthenticated resolution responses.
Control requires verification of data authenticity/integrity (e.g., checksums) after aggregation/packing, directly reducing exploitation of insufficient verification before transmission.
Time synchronization supports reliable freshness verification when checking data authenticity across systems or components.
Mandates verification of data authenticity for software, firmware, and information.
Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.