CVE-2024-39689: 
Python vulnerability analysis and mitigation

Certifi, a curated collection of Root Certificates for validating SSL certificates and TLS host identity, has identified a security issue affecting versions from 2021.5.30 to 2024.7.4. The vulnerability involves the recognition of root certificates from GLOBALTRUST, which are being removed from Mozilla's trust store due to long-running and unresolved compliance issues (Mozilla Policy, GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The issue is classified under CWE-345 (Insufficient Verification of Data Authenticity). The vulnerability specifically relates to the inclusion of GLOBALTRUST root certificates that are being removed due to compliance issues identified in Mozilla's investigation (Mozilla Policy).

The vulnerability could potentially lead to the addition or modification of data through compromised certificate validation. According to Mozilla's investigation, GLOBALTRUST's root certificates are being removed due to long-running compliance issues, including failures in incident reporting, delayed responses, and inadequate root cause analyses (Mozilla Policy).

The issue has been addressed in Certifi version 2024.7.04, which removes the GLOBALTRUST root certificates from the root store. Users are advised to upgrade to this version or later. For systems that cannot be immediately updated, the root CAs in question can be added to /etc/pki/ca-trust/source/blacklist on RHEL 8 or /etc/pki/ca-trust/source/blocklist on RHEL 9, followed by running update-ca-trust (NetApp Advisory).

The security community has expressed concerns about the grace period given for the distrust of GLOBALTRUST certificates. Mozilla initially announced a distrust date of June 30, 2024, though some security researchers advocated for immediate distrust given the small number of affected websites and the potential risks of delayed action (Mozilla Policy).