CVE-2020-14039

unknown

Published 2022-02-17 · Modified 2024-05-20

CVSS v3

—

CVSS v2

—

VIR risk

—

Description

In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2020-14039

OS impact

OS	Version	Status	Fixed in
debian	bullseye	fixed	`0`

Package impact

Ecosystem	Package	Vulnerable	Fixed
Go	stdlib	`>=1.14.0-0,<1.14.5`	`1.13.13`

References

https://go.dev/cl/242597
https://go.googlesource.com/go/+/82175e699a2e2cd83d3aa34949e9b922d66d52f5
https://go.dev/issue/39360
https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w
https://security-tracker.debian.org/tracker/CVE-2020-14039

Verify integrity in audit chain (admin only). AS-IS.