| id: GO-2022-0535 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.12.16 |
| - introduced: 1.13.0-0 |
| - fixed: 1.13.7 |
| vulnerable_at: 1.13.6 |
| packages: |
| - package: crypto/x509 |
| goos: |
| - windows |
| symbols: |
| - Certificate.systemVerify |
| summary: Certificate validation bypass on Windows in crypto/x509 |
| description: |- |
| A Windows vulnerability allows attackers to spoof valid certificate chains when |
| the system root store is in use. |
| |
| A workaround is present in Go 1.12.6+ and Go 1.13.7+, but affected users should |
| additionally install the Windows security update to protect their system. |
| |
| See https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0601 |
| for details on the Windows vulnerability. |
| published: 2022-08-01T22:21:17Z |
| cves: |
| - CVE-2020-0601 |
| references: |
| - fix: https://go.dev/cl/215905 |
| - fix: https://go.googlesource.com/go/+/953bc8f391a63adf00bac2515dba62abe8a1e2c2 |
| - report: https://go.dev/issue/36834 |
| - web: https://groups.google.com/g/golang-announce/c/Hsw4mHYc470/m/WJeW5wguEgAJ |
| review_status: REVIEWED |
