Bug 2184481 (CVE-2023-24538)

Summary: CVE-2023-24538 golang: html/template: backticks not treated as string delimiters
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abenaiss, abishop, adudiak, amackenz, amasferr, amctagga, ansmith, aoconnor, asm, ataylor, bbaude, bbuckingham, bcourt, bdettelb, bniver, bodavis, chazlett, cmarinea, cwelton, dbenoit, debarshir, desktop-qa-list, dfreiber, dkenigsb, dperaza, dpini, dsimansk, dwalsh, dymurray, eaguilar, ebaron, eglynn, ehelms, ellin, emachado, epacific, fdeutsch, fjansen, flucifre, gmeno, gparvin, grafana-maint, ibolton, jaharrin, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jkurik, jligon, jmatthew, jmontleo, jneedle, jnovy, jobarker, jpallich, jross, jscholz, jsherril, kshier, lball, lhh, lmadsen, lsm5, lzap, mabashia, matzew, mbenjamin, mboddu, mburns, mgarciac, mhackett, mheon, mhulan, mkudlej, mmagr, mrunge, mwringe, myarboro, nathans, nbecker, nboldt, njean, nmoumoul, nobody, orabin, oramraz, osbuilders, owatkins, pahickey, pakotvan, pcreech, pehunt, pjindal, pthomas, rchan, rhcos-sst, rhos-maint, rhuss, rjohnson, rkieley, rogbas, saroy, scorneli, sfroberg, sgott, shbose, simaishi, sipoyare, slucidi, smcdonal, smullick, sostapov, spower, sseago, stcannon, swoodman, teagle, tfister, tjochec, tstellar, tsweeney, umohnani, vereddy, vkumar, whayutin, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.20.3, golang 1.19.8 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang Go. This flaw allows a remote attacker to execute arbitrary code on the system, caused by not properly considering backticks (`) as Javascript string delimiters. By sending a specially crafted request, an attacker execute arbitrary code on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2186205, 2186206, 2186207, 2187314, 2187315, 2187316, 2187317, 2187318, 2187319, 2187320, 2187321, 2187322, 2187323, 2187330, 2187331, 2187332, 2187333, 2187334, 2187335, 2187336, 2187337, 2187338, 2187339, 2187340, 2187341, 2187342, 2187343, 2187344, 2187345, 2188999, 2189000, 2189001, 2189002, 2189003, 2189004, 2189005, 2189006, 2189007, 2189008, 2189009, 2189010, 2189011, 2189012, 2189013, 2189014, 2189015, 2189016, 2189017    
Bug Blocks: 2184485    

Description Pedro Sampaio 2023-04-04 20:21:00 UTC 
Templates did not properly consider backticks (`) as Javascript string delimiters, and as such did
not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template
contained a Go template action within a Javascript template literal, the contents of the action could
be used to terminate the literal, injecting arbitrary Javascript code into the Go template.

References:

https://github.com/golang/go/issues/59234
https://github.com/golang/go/issues/59272
Comment 9 Avinash Hanwate 2023-04-24 04:54:33 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2188999]
Affects: fedora-all [bug 2189000]
Comment 18 errata-xmlrpc 2023-05-25 12:26:02 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2023:3323 https://access.redhat.com/errata/RHSA-2023:3323
Comment 20 errata-xmlrpc 2023-06-05 14:08:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:3445 https://access.redhat.com/errata/RHSA-2023:3445
Comment 21 errata-xmlrpc 2023-06-05 16:44:18 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:3450 https://access.redhat.com/errata/RHSA-2023:3450
Comment 22 errata-xmlrpc 2023-06-05 23:42:49 UTC 
This issue has been addressed in the following products:

  RHOSS-1.29-RHEL-8

Via RHSA-2023:3455 https://access.redhat.com/errata/RHSA-2023:3455
Comment 23 errata-xmlrpc 2023-06-07 01:50:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3367 https://access.redhat.com/errata/RHSA-2023:3367
Comment 24 errata-xmlrpc 2023-06-13 15:32:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3540 https://access.redhat.com/errata/RHSA-2023:3540
Comment 27 errata-xmlrpc 2023-06-15 09:48:11 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:3624 https://access.redhat.com/errata/RHSA-2023:3624
Comment 28 errata-xmlrpc 2023-06-23 04:39:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3612 https://access.redhat.com/errata/RHSA-2023:3612
Comment 29 errata-xmlrpc 2023-06-29 00:59:06 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:3918 https://access.redhat.com/errata/RHSA-2023:3918
Comment 30 errata-xmlrpc 2023-06-29 14:32:33 UTC 
This issue has been addressed in the following products:

  RHACS-4.1-RHEL-8

Via RHSA-2023:3943 https://access.redhat.com/errata/RHSA-2023:3943
Comment 32 errata-xmlrpc 2023-07-10 08:51:21 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 8
  Service Interconnect 1 for RHEL 9

Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
Comment 35 errata-xmlrpc 2023-07-20 17:28:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13
  Ironic content for Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:4093 https://access.redhat.com/errata/RHSA-2023:4093
Comment 37 errata-xmlrpc 2023-08-03 14:12:45 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.3 for RHEL 8

Via RHSA-2023:4470 https://access.redhat.com/errata/RHSA-2023:4470
Comment 38 errata-xmlrpc 2023-08-08 00:36:22 UTC 
This issue has been addressed in the following products:

  CERT-MANAGER-1.10-RHEL-9

Via RHSA-2023:4335 https://access.redhat.com/errata/RHSA-2023:4335
Comment 39 errata-xmlrpc 2023-08-14 01:02:37 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627
Comment 40 errata-xmlrpc 2023-08-16 14:09:29 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:4664 https://access.redhat.com/errata/RHSA-2023:4664
Comment 41 errata-xmlrpc 2023-08-23 00:17:57 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:4657 https://access.redhat.com/errata/RHSA-2023:4657
Comment 42 errata-xmlrpc 2023-09-06 07:56:16 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.9

Via RHSA-2023:4986 https://access.redhat.com/errata/RHSA-2023:4986
Comment 43 errata-xmlrpc 2023-10-20 14:57:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5964 https://access.redhat.com/errata/RHSA-2023:5964
Comment 44 errata-xmlrpc 2023-11-07 08:13:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6346 https://access.redhat.com/errata/RHSA-2023:6346
Comment 45 errata-xmlrpc 2023-11-07 08:13:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6363 https://access.redhat.com/errata/RHSA-2023:6363
Comment 46 errata-xmlrpc 2023-11-07 08:15:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6402 https://access.redhat.com/errata/RHSA-2023:6402
Comment 47 errata-xmlrpc 2023-11-07 08:16:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6473 https://access.redhat.com/errata/RHSA-2023:6473
Comment 48 errata-xmlrpc 2023-11-07 08:17:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6474 https://access.redhat.com/errata/RHSA-2023:6474
Comment 49 errata-xmlrpc 2023-11-14 15:16:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938
Comment 50 errata-xmlrpc 2023-11-14 15:17:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939
Comment 51 errata-xmlrpc 2024-02-08 16:58:18 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 5.3

Via RHSA-2024:0746 https://access.redhat.com/errata/RHSA-2024:0746
Comment 58 errata-xmlrpc 2024-05-21 14:07:37 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:2944 https://access.redhat.com/errata/RHSA-2024:2944