Bug 2228689 (CVE-2023-3978)

Summary: CVE-2023-3978 golang.org/x/net/html: Cross site scripting
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, adudiak, amctagga, bbaude, chazlett, davidn, dcadzow, dfreiber, dkenigsb, dshah, dwalsh, dymurray, eaguilar, ebaron, eglynn, ellin, epacific, fdeutsch, gparvin, ibolton, jaharrin, jburrell, jcammara, jcantril, jeder, jhardy, jjoyce, jkang, jkoehler, jligon, jmatthew, jmontleo, jneedle, jnovy, jobarker, jpallich, jschluet, jwendell, kshier, lgamliel, lhh, lsm5, mabashia, mboddu, mburns, mfilanov, mgarciac, mheon, muagarwa, nboldt, njean, nobody, oramraz, osapryki, osbuilders, owatkins, pahickey, periklis, pgrist, pjindal, pthomas, rcernich, rfreiman, rjohnson, rogbas, scorneli, sfroberg, sgott, simaishi, slucidi, smcdonal, smullick, sseago, stcannon, teagle, tfister, tkral, tsweeney, twalsh, vkumar, whayutin, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang.org/x/net/html 0.13.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Golang HTML package where it is vulnerable to Cross-site scripting caused by the improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's web browser within the security context of the hosting website once the URL is clicked. The flaw allows an attacker to steal the victim's cookie-based authentication credentials.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2228806, 2228807, 2228808, 2228810, 2228811, 2228812, 2228813, 2228814, 2228815, 2228824, 2228825, 2229577, 2229578, 2229579, 2229580, 2229581, 2229583, 2229584, 2229585, 2229586, 2229587, 2229588, 2229589, 2229590, 2229591, 2229592, 2229593, 2229594, 2229595, 2229596, 2229597, 2229598, 2229600, 2229601, 2229602, 2229603, 2229604, 2229605, 2229607, 2229608, 2229610, 2229611, 2229582, 2229599    
Bug Blocks: 2228694    

Description Avinash Hanwate 2023-08-03 05:50:06 UTC 
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

https://go.dev/issue/61615
https://go.dev/cl/514896
https://pkg.go.dev/vuln/GO-2023-1988
Comment 6 Avinash Hanwate 2023-08-07 05:38:23 UTC 
Created caddy tracking bugs for this issue:

Affects: fedora-all [bug 2229582]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229583]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-all [bug 2229577]


Created cri-o:1.21/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229584]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229585]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229586]


Created cri-o:1.25/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229587]


Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229588]


Created cri-o:1.26/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229589]


Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229590]


Created cri-o:1.27/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229591]


Created cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229592]


Created gh tracking bugs for this issue:

Affects: fedora-all [bug 2229593]


Created golang-github-docker-slim tracking bugs for this issue:

Affects: fedora-all [bug 2229594]


Created golang-github-onsi-ginkgo-2 tracking bugs for this issue:

Affects: fedora-all [bug 2229595]


Created golang-github-projectdiscovery-chaos-client tracking bugs for this issue:

Affects: fedora-all [bug 2229596]


Created golang-googlecode-net tracking bugs for this issue:

Affects: epel-all [bug 2229578]


Created golang-k8s-kube-aggregator tracking bugs for this issue:

Affects: fedora-all [bug 2229597]


Created golang-vitess tracking bugs for this issue:

Affects: fedora-all [bug 2229598]


Created golang-x-net tracking bugs for this issue:

Affects: epel-all [bug 2229579]
Affects: fedora-all [bug 2229599]


Created golang-x-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229600]


Created hugo tracking bugs for this issue:

Affects: fedora-all [bug 2229601]


Created kompose tracking bugs for this issue:

Affects: epel-all [bug 2229580]


Created migrate tracking bugs for this issue:

Affects: fedora-all [bug 2229602]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2229603]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2229604]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2229605]


Created rclone tracking bugs for this issue:

Affects: epel-all [bug 2229581]


Created shellz tracking bugs for this issue:

Affects: fedora-all [bug 2229607]


Created xq tracking bugs for this issue:

Affects: fedora-all [bug 2229608]
Comment 7 Avinash Hanwate 2023-08-07 05:45:38 UTC 
Created rclone tracking bugs for this issue:

Affects: fedora-all [bug 2229610]