Multiple vulnerabilities in Go
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2020-14039 CVE-2020-15586 |
| CWE-ID | CWE-295 CWE-362 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Go programming language Universal components / Libraries / Scripting languages |
| Vendor |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper Certificate Validation
EUVDB-ID: #VU31890
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-14039
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists when "VerifyOptions.Roots" is nil, "Certificate.Verify" does not check the EKU requirements specified in "VerifyOptions.KeyUsages".
MitigationInstall updates from vendor's website.
Vulnerable software versionsGo programming language: 1.13 - 1.14.4
CPE2.3- cpe:2.3:a:google:golang:1.13:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.4:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.5:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.6:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.7:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.8:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.9:*:*:*:*:*:*:*
https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html
https://groups.google.com/forum/#!forum/golang-announce
https://groups.google.com/forum/#!topic/golang-announce/XZNfaiwgt2w
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Race condition
EUVDB-ID: #VU31891
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15586
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a race condition in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler. A remote attacker can exploit the race and cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsGo programming language: 1.13 - 1.14.4
CPE2.3- cpe:2.3:a:google:golang:1.13:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.4:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.5:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.6:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.7:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.8:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.9:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.13.10:*:*:*:*:*:*:*
https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html
https://groups.google.com/forum/#!topic/golang-announce/f2c5bqrGH_g
https://groups.google.com/forum/#!topic/golang-announce/XZNfaiwgt2w
https://www.cloudfoundry.org/blog/cve-2020-15586/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
