Fluid Attacks Database

Description

Certificate validation bypass on Windows in crypto/x509 A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use.

A workaround is present in Go 1.12.6+ and Go 1.13.7+, but affected users should additionally install the Windows security update to protect their system.

See https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0601 for details on the Windows vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	stdlib	>=0 <1.12.16	1.12.16

Aliases

1. CVE-2020-06012. NVD-2020-06013. OSV-GO-2022-05354. OSV-2020-06015. GCVE-2020-0601

References

1. https://go.dev/cl/2159052. https://go.googlesource.com/go/+/953bc8f391a63adf00bac2515dba62abe8a1e2c23. https://go.dev/issue/368344. https://groups.google.com/g/golang-announce/c/Hsw4mHYc470/m/WJeW5wguEgAJ5. https://github.com/nissan-sudo/CVE-2020-0601

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.