The vulnerability allows for potential man-in-the-middle attacks or the acceptance of invalid certificates under certain conditions, posing a significant risk to systems using Go's crypto/x509 package.
Go's X.509 certificate verification in the crypto/x509 package is vulnerable due to a byte difference between certificate encodings, leading to incorrect validation results and potential bypasses.
Affected Systems
- crypto/x509 package in Go
Affected Versions: All versions before Go 1.20
Remediation
- Upgrade the Go runtime to version 1.20 or higher where this issue is mitigated.
- Manually check and validate certificates using an alternative method such as OpenSSL for critical systems until upgrade.
Stack Impact
Impacts services or applications that rely on Go's crypto/x509 package for certificate verification, including potentially web servers or TLS-secured connections.