CVE-2020-14039 — Certificate verification error on Windows in crypto/x509

Description

In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.

How to fix CVE-2020-14039

To remediate CVE-2020-14039, upgrade the affected package to a fixed version below.

—upgrade to 1.13.13 or later
—upgrade to 1.13.13 or later

Is CVE-2020-14039 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.13.13, >= 1.14.0, < 1.14.5
from 0, < 1.13.13, >= 1.14.0-0, < 1.14.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (13)

PATCHgo.dev/cl/242597
PATCHgo.googlesource.com/go/+/82175e699a2e2cd83d3aa34949e9b922d66d52f5
REPORTgo.dev/issue/39360
WEBlists.opensuse.org/opensuse-security-announce/2020-07/msg00077.html
WEB