PT-2020-13858 · Google+2 · Go+2

Published

2020-02-28

·

Updated

2024-06-15

·

CVE-2020-14039

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Go versions prior to 1.13.13 Go versions 1.14.x prior to 1.14.5
Description The issue concerns incomplete X.509 certificate verification. Specifically, in certain conditions on Windows, the Certificate.Verify function may not check the EKU requirements specified in VerifyOptions.KeyUsages if VerifyOptions.Roots is nil. This could potentially allow a certificate to be used for an unintended purpose.
Recommendations For Go versions prior to 1.13.13, update to version 1.13.13 or later. For Go versions 1.14.x prior to 1.14.5, update to version 1.14.5 or later. As a temporary workaround, consider ensuring VerifyOptions.Roots is not nil when using Certificate.Verify on Windows installations to enforce proper verification of EKU requirements.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

ALT-PU-2020-1411
ALT-PU-2020-2439
ALT-PU-2020-2456
AZL-79080
BIT-GOLANG-2020-14039
CVE-2020-14039
GO-2021-0223
OPENSUSE-SU-2020:1087-1
OPENSUSE-SU-2020:1095-1
OPENSUSE-SU-2020:1405-1
OPENSUSE-SU-2020:1407-1
OPENSUSE-SU-2020_1087-1
OPENSUSE-SU-2020_1095-1
OPENSUSE-SU-2020_1405-1
OPENSUSE-SU-2020_1407-1
OPENSUSE-SU-2024:10806-1
OPENSUSE-SU-2024:10807-1
OPENSUSE-SU-2024:11430-1
SUSE-SU-2020:2562-1
SUSE-SU-2020_2562-1
SUSE-SU-2021:0263-1
SUSE-SU-2021_0263-1

Affected Products

Alt Linux
Go
Suse