Vulnerability Report: GO-2021-0223
standard library- CVE-2020-14039
- Affects: crypto/x509
- Published: Feb 17, 2022
- Modified: May 20, 2024
On Windows, if VerifyOptions.Roots is nil, Certificate.Verify does not check the EKU requirements specified in VerifyOptions.KeyUsages. This may allow a certificate to be used for an unintended purpose.
Affected Packages
-
PathGo VersionsSymbols
-
before go1.13.13, from go1.14.0-0 before go1.14.5
1 unexported affected symbols
- Certificate.systemVerify
Aliases
References
- https://go.dev/cl/242597
- https://go.googlesource.com/go/+/82175e699a2e2cd83d3aa34949e9b922d66d52f5
- https://go.dev/issue/39360
- https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w
- https://vuln.go.dev/ID/GO-2021-0223.json
Credits
- Niall Newman
Feedback
See anything missing or incorrect?
Suggest an edit to this report.