Main Vulnerability Database Vulnerabilities #VU31890

#VU31890 Improper Certificate Validation in Go programming language - CVE-2020-14039

Published: July 27, 2020

Vulnerability identifier: #VU31890

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-14039

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Go programming language

Software vendor:
Google

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists when "VerifyOptions.Roots" is nil, "Certificate.Verify" does not check the EKU requirements specified in "VerifyOptions.KeyUsages".

Remediation

Install updates from vendor's website.

External links

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html
https://groups.google.com/forum/#!forum/golang-announce
https://groups.google.com/forum/#!topic/golang-announce/XZNfaiwgt2w

#VU31890 Improper Certificate Validation in Go programming language - CVE-2020-14039

Description

Remediation

External links

Please verify you're human