#VU96731 Improper Certificate Validation in python-certifi - CVE-2024-39689

Cybersecurity Help s.r.o.

Published: 2024-09-03

Vulnerability identifier: #VU96731

Vulnerability risk: High

CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-39689

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
python-certifi
Other software / Other software solutions

Vendor: Certifi

Description

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to Certifi python-certifi provide weaker than expected security, caused by the use of GLOBALTRUST root certificate. A remote attacker can trigger the vulnerability to launch further attacks on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

python-certifi: 2022.05.18 - 2024.07.04

External links
https://github.com/certifi/python-certifi/security/advisories/GHSA-248v-346w-9cwc
https://github.com/certifi/python-certifi/commit/bd8153872e9c6fc98f4023df9c2deaffea2fa463
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

IBM Cloud Pak for Data System 2.0 update for Certifi

Multiple vulnerabilities in IBM Maximo Application Suite - IoT Component

Dell SmartFabric Storage Software update for third-party components

Multiple vulnerabilities in QRadar Advisor With Watson for IBM QRadar SIEM

IBM watsonx Orchestrate Cartridge for IBM Cloud Pak for Data update for Certifi

IBM Maximo Application Suite - Monitor Component update for Certifi python-certifi

Multiple vulnerabilities in IBM Netezza for Cloud Pak for Data (on Cloud)

IBM Big SQL on IBM Cloud Pak for Data update for Certifi python-certifi

Multiple vulnerabilities in IBM Fusion HCI Installer

IBM Watson Assistant for IBM Cloud Pak for Data update for Certifi python-certifi