CVE-2017-1000097Improper Certificate Validation in GO

CWE-295Improper Certificate Validation9 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 60.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Golang GO
Timeline
PublishedOct 5
Latest updateMay 24

Description

On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

NVDgolang/go1.71.7.4+1

🔴Vulnerability Details

3
OSV
Mishandled trust preferences for root certificates on Darwin in crypto/x5092022-05-24
GHSA
GHSA-2g28-jxx8-mj9h: On Darwin, user's trust preferences for root certificates were not honored2022-05-14
CVEList
CVE-2017-1000097: On Darwin, user's trust preferences for root certificates were not honored2017-10-04

📋Vendor Advisories

2
Microsoft
On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify2017-10-10
Red Hat
golang: User's trust preferences for root certificates were not honored2016-12-01

💬Community

3
Bugzilla
CVE-2017-1000097 golang: User's trust preferences for root certificates were not honored2016-12-14
Bugzilla
CVE-2017-1000097 golang: User's trust preferences for root certificates were not honored [epel-all]2016-12-14
Bugzilla
CVE-2017-1000097 golang: User's trust preferences for root certificates were not honored [fedora-all]2016-12-14
CVE-2017-1000097 — Improper Certificate Validation | cvebase