NVD Vulnerability Detail

CVE-2020-14039

Summary	In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.
Publication Date	July 18, 2020, 1:15 a.m.
Registration Date	Jan. 26, 2021, 11:52 a.m.
Last Update	Nov. 21, 2024, 2:02 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html	Mailing List Third Party Advisory
2	http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html	Mailing List Third Party Advisory
3	http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html	Mailing List Third Party Advisory
4	http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00082.html	Mailing List Third Party Advisory
5	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html	Mailing List Third Party Advisory
6	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00029.html	Mailing List Third Party Advisory
7	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html	Mailing List Third Party Advisory
8	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00030.html	Mailing List Third Party Advisory
9	https://groups.google.com/forum/#%21forum/golang-announce
10	https://groups.google.com/forum/#%21forum/golang-announce
11	https://groups.google.com/forum/#%21topic/golang-announce/XZNfaiwgt2w
12	https://groups.google.com/forum/#%21topic/golang-announce/XZNfaiwgt2w
13	https://security.netapp.com/advisory/ntap-20200731-0005/	Third Party Advisory
14	https://security.netapp.com/advisory/ntap-20200731-0005/	Third Party Advisory
15	https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
16	https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-295	不正な証明書検証	https://cwe.mitre.org/data/definitions/295.html

JVN Vulnerability Information

Go における証明書検証に関する脆弱性

Title	Go における証明書検証に関する脆弱性
Summary	Go には、証明書検証に関する脆弱性が存在します。
Possible impacts	情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	July 15, 2020, midnight
Registration Date	Sept. 8, 2020, 4:47 p.m.
Last Update	Sept. 8, 2020, 4:47 p.m.

Affected System

The Go Project

Go 1.13.13 未満

Go 1.14.5 未満の 1.14.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-14039	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14039
National Vulnerability Database (NVD)
2	CVE-2020-14039	https://nvd.nist.gov/vuln/detail/CVE-2020-14039

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-295	https://cwe.mitre.org/data/definitions/295.html

ベンダー情報

No	Name	URL
Google Groups
1	golang-announce	https://groups.google.com/forum/#!forum/golang-announce
2	[security] Go 1.14.5 and Go 1.13.13 are released	https://groups.google.com/forum/#!topic/golang-announce/XZNfaiwgt2w

Change Log

No	Changed Details	Date of change
1	[2020年09月08日] 掲載	Sept. 8, 2020, 4:47 p.m.