{"id":"CVE-2020-0601","details":"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability'.","aliases":["BIT-golang-2020-0601","GO-2022-0535"],"modified":"2026-04-11T20:27:47.598504Z","published":"2020-01-14T23:15:30.207Z","references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0601"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/155960/CurveBall-Microsoft-Windows-CryptoAPI-Spoofing-Proof-Of-Concept.html"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/155961/CurveBall-Microsoft-Windows-CryptoAPI-Spoofing-Proof-Of-Concept.html"},{"type":"FIX","url":"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/golang/go","events":[{"introduced":"05e77d41914d247a1e7caf37d7125ccaa5a53505"},{"fixed":"deac3221fc4cd365fb40d269dd56551e9d354356"},{"introduced":"cc8838d645b2b7026c1f3aaceb011775c5ca3a08"},{"fixed":"7d2473dc81c659fba3f3b83bc6e93ca5fe37a898"}],"database_specific":{"cpe":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"1.12"},{"fixed":"1.12.16"},{"introduced":"1.13"},{"fixed":"1.13.7"}],"source":"CPE_FIELD"}}],"versions":["go1.12","go1.12.1","go1.12.12","go1.12.13","go1.12.14","go1.12.15","go1.12.2","go1.12.3","go1.12.4","go1.12.5","go1.12.6","go1.12.7","go1.12.9","go1.13","go1.13.3","go1.13.4","go1.13.5","go1.13.6"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-0601.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}]}