CVE-2020-14039 — Improper Certificate Validation in GO

CWE-295 — Improper Certificate Validation6 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.4%

top 37.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO Opensuse Leap

Timeline

PublishedJul 17

Latest updateMay 24

Description

In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDgolang/go1.14.0 — 1.14.5+1

▶NVDopensuse/leap15.1, 15.2+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-v8jf-78w9-hp93: In Go before 1↗2022-05-24

▶

OSV

Certificate verification error on Windows in crypto/x509↗2022-02-17

▶

CVEList

CVE-2020-14039: In Go before 1↗2020-07-17

▶

📋Vendor Advisories

Microsoft

In Go before 1.13.13 and 1.14.x before 1.14.5 Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows)↗2020-07-14

▶

Debian

CVE-2020-14039: golang-1.15 - In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a che...↗2020

▶