CVE-2024-39689 (High) detected in certifi-2023.7.22-py3-none-any.whl - autoclosed #784

mend-for-github-com · 2024-07-20T16:39:49Z

CVE-2024-39689 - High Severity Vulnerability

Vulnerable Library - certifi-2023.7.22-py3-none-any.whl

Python package for providing Mozilla's CA Bundle.

Library home page: https://files.pythonhosted.org/packages/4c/dd/2234eab22353ffc7d94e8d13177aaa050113286e93e7b40eae01fbf7c3d9/certifi-2023.7.22-py3-none-any.whl

Dependency Hierarchy:

❌ certifi-2023.7.22-py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from GLOBALTRUST. Certifi 2024.07.04 removes root certificates from GLOBALTRUST from the root store. These are in the process of being removed from Mozilla's trust store. GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues."

Publish Date: 2024-07-05

URL: CVE-2024-39689

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-248v-346w-9cwc

Release Date: 2024-07-05

Fix Resolution: certifi - 2024.07.04

The text was updated successfully, but these errors were encountered:

dblock · 2024-07-20T20:21:21Z

@hugovk since this is a "high" CVE, see if this introduced by one of the upgrade changes?

hugovk · 2024-07-20T21:18:26Z

Hmm, I don't think so, the changes removed two third-party libraries to use the standard library instead.

The mentioned filename is referenced in samples/poetry.lock and benchmarks/poetry.lock which I didn't touch. I guess these should be updated -- can mend-for-github-com create update PRs like Dependabot and Renovate?

dblock · 2024-08-12T16:06:55Z

[Catch All Triage - 1, 2, 3]

mend-for-github-com · 2024-08-14T22:29:27Z

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Jul 20, 2024

github-actions bot added the untriaged Need triage label Jul 20, 2024

dblock removed the untriaged Need triage label Aug 12, 2024

dblock self-assigned this Aug 12, 2024

dblock mentioned this issue Aug 13, 2024

Updated dependencies, generated API. #793

Merged

mend-for-github-com bot changed the title ~~CVE-2024-39689 (High) detected in certifi-2023.7.22-py3-none-any.whl~~ CVE-2024-39689 (High) detected in certifi-2023.7.22-py3-none-any.whl - autoclosed Aug 14, 2024

mend-for-github-com bot closed this as completed Aug 14, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2024-39689 (High) detected in certifi-2023.7.22-py3-none-any.whl - autoclosed #784

CVE-2024-39689 (High) detected in certifi-2023.7.22-py3-none-any.whl - autoclosed #784

mend-for-github-com bot commented Jul 20, 2024

dblock commented Jul 20, 2024

hugovk commented Jul 20, 2024

dblock commented Aug 12, 2024

mend-for-github-com bot commented Aug 14, 2024

CVE-2024-39689 (High) detected in certifi-2023.7.22-py3-none-any.whl - autoclosed #784

CVE-2024-39689 (High) detected in certifi-2023.7.22-py3-none-any.whl - autoclosed #784

Comments

mend-for-github-com bot commented Jul 20, 2024

CVE-2024-39689 - High Severity Vulnerability

dblock commented Jul 20, 2024

hugovk commented Jul 20, 2024

dblock commented Aug 12, 2024

mend-for-github-com bot commented Aug 14, 2024