Bug 2237773 (CVE-2023-39319)

Summary: CVE-2023-39319 golang: html/template: improper handling of special tags within script contexts
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Sayan Biswas <sabiswas>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abishop, amasferr, amctagga, ansmith, aoconnor, asatyam, bbuckingham, bcourt, bdettelb, bniver, bodavis, chazlett, dbenoit, dcadzow, dfreiber, diagrawa, dkenigsb, dperaza, dsimansk, dymurray, eglynn, ehelms, emachado, fdeutsch, flucifre, gmeno, gparvin, ibolton, jaharrin, jburrell, jcantril, jchui, jeder, jjoyce, jkoehler, jmatthew, jmontleo, jschluet, jsherril, jwendell, kaycoth, lball, lgamliel, lhh, lzap, matzew, mbenjamin, mburns, mcressma, mgarciac, mhackett, mhulan, mkudlej, mnewsome, mrajanna, mwringe, njean, nmoumoul, odf-bz-bot, orabin, oramraz, owatkins, pahickey, pcreech, pgrist, pjindal, rcernich, rchan, rfreiman, rhos-maint, rhuss, rjohnson, rogbas, saroy, sdawley, sgott, shbose, sipoyare, slucidi, smullick, sostapov, sseago, stcannon, teagle, tjochec, twalsh, vereddy, vkumar, whayutin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.20.8, golang 1.21.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang. The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This issue may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2238077, 2238078, 2238079, 2238080, 2238084, 2238086, 2238059, 2238060, 2238061, 2238062, 2238063, 2238064, 2238065, 2238066, 2238073, 2238074, 2238075, 2238081, 2238082, 2238083, 2238085, 2238088, 2238090, 2238802, 2238803, 2280689    
Bug Blocks: 2237770    

Description Patrick Del Bello 2023-09-06 20:15:59 UTC 
The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
Comment 8 Anten Skrabec 2023-09-13 17:16:45 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2238802]
Affects: fedora-all [bug 2238803]
Comment 13 errata-xmlrpc 2023-10-20 16:50:05 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.4.0-RHEL-9

Via RHSA-2023:5974 https://access.redhat.com/errata/RHSA-2023:5974
Comment 14 errata-xmlrpc 2023-10-24 15:32:41 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.9

Via RHSA-2023:6085 https://access.redhat.com/errata/RHSA-2023:6085
Comment 15 errata-xmlrpc 2023-10-25 14:02:02 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:6115 https://access.redhat.com/errata/RHSA-2023:6115
Comment 16 errata-xmlrpc 2023-10-25 15:52:51 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.3 for RHEL 8

Via RHSA-2023:6119 https://access.redhat.com/errata/RHSA-2023:6119
Comment 17 errata-xmlrpc 2023-10-25 18:15:12 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8

Via RHSA-2023:6122 https://access.redhat.com/errata/RHSA-2023:6122
Comment 18 errata-xmlrpc 2023-10-26 00:47:58 UTC 
This issue has been addressed in the following products:

  RODOO-1.0-RHEL-8

Via RHSA-2023:5947 https://access.redhat.com/errata/RHSA-2023:5947
Comment 19 errata-xmlrpc 2023-10-26 18:18:18 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.2 for RHEL 8

Via RHSA-2023:6145 https://access.redhat.com/errata/RHSA-2023:6145
Comment 20 errata-xmlrpc 2023-10-26 19:20:32 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:6148 https://access.redhat.com/errata/RHSA-2023:6148
Comment 21 errata-xmlrpc 2023-10-30 02:16:20 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:6161 https://access.redhat.com/errata/RHSA-2023:6161
Comment 22 errata-xmlrpc 2023-10-30 18:15:34 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2023:6200 https://access.redhat.com/errata/RHSA-2023:6200
Comment 23 errata-xmlrpc 2023-10-30 20:14:16 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2023:6202 https://access.redhat.com/errata/RHSA-2023:6202
Comment 24 errata-xmlrpc 2023-10-31 14:02:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5009 https://access.redhat.com/errata/RHSA-2023:5009
Comment 25 errata-xmlrpc 2023-11-01 00:30:43 UTC 
This issue has been addressed in the following products:

  OSSO-1.2-RHEL-8

Via RHSA-2023:6154 https://access.redhat.com/errata/RHSA-2023:6154
Comment 26 errata-xmlrpc 2023-11-15 04:38:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:6840 https://access.redhat.com/errata/RHSA-2023:6840
Comment 27 errata-xmlrpc 2023-12-12 17:23:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7762 https://access.redhat.com/errata/RHSA-2023:7762
Comment 28 errata-xmlrpc 2023-12-12 17:23:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7764 https://access.redhat.com/errata/RHSA-2023:7764
Comment 29 errata-xmlrpc 2023-12-12 17:23:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7765 https://access.redhat.com/errata/RHSA-2023:7765
Comment 30 errata-xmlrpc 2023-12-12 17:24:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7766 https://access.redhat.com/errata/RHSA-2023:7766
Comment 31 errata-xmlrpc 2024-01-10 11:28:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121
Comment 33 errata-xmlrpc 2024-04-18 07:18:18 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 9

Via RHSA-2024:1901 https://access.redhat.com/errata/RHSA-2024:1901
Comment 34 errata-xmlrpc 2024-04-30 09:41:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2160 https://access.redhat.com/errata/RHSA-2024:2160
Comment 37 errata-xmlrpc 2024-05-22 09:27:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2988 https://access.redhat.com/errata/RHSA-2024:2988
Comment 38 errata-xmlrpc 2024-05-23 15:24:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:3352 https://access.redhat.com/errata/RHSA-2024:3352
Comment 39 errata-xmlrpc 2024-05-29 13:30:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2024:3467 https://access.redhat.com/errata/RHSA-2024:3467