Vulnerability Report: GO-2022-0535

standard library

CVE-2020-0601
Affects: crypto/x509
Published: Aug 01, 2022
Modified: May 20, 2024

A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use. A workaround is present in Go 1.12.6+ and Go 1.13.7+, but affected users should additionally install the Windows security update to protect their system. See https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0601 for details on the Windows vulnerability.

Affected Packages

Path

Go Versions

Symbols
crypto/x509

before go1.12.16, from go1.13.0-0 before go1.13.7
1 unexported affected symbols
- Certificate.systemVerify

Aliases

CVE-2020-0601

References

https://go.dev/cl/215905
https://go.googlesource.com/go/+/953bc8f391a63adf00bac2515dba62abe8a1e2c2
https://go.dev/issue/36834
https://groups.google.com/g/golang-announce/c/Hsw4mHYc470/m/WJeW5wguEgAJ
https://vuln.go.dev/ID/GO-2022-0535.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL