Incomplete X.509 Certificate Verification in Go (CVE-2020-28362)

Incomplete X.509 Certificate Verification in Go (CVE-2020-28362)

CVE-2020-14039 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.

Learn more about our Web Application Penetration Testing UK.