Bug 2237776 (CVE-2023-39318)

Summary: CVE-2023-39318 golang: html/template: improper handling of HTML-like comments within script contexts
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Sayan Biswas <sabiswas>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abishop, amasferr, amctagga, ansmith, aoconnor, apjagtap, asatyam, aveerama, bbuckingham, bcourt, bdettelb, bniver, bodavis, chazlett, dbenoit, dcadzow, dfreiber, diagrawa, dkenigsb, dperaza, dsimansk, dymurray, eglynn, ehelms, emachado, fdeutsch, flucifre, gmeno, gparvin, ibolton, jaharrin, jburrell, jcantril, jchui, jeder, jjoyce, jkoehler, jmatthew, jmontleo, jschluet, jsherril, jwendell, kaycoth, lball, lhh, lzap, matzew, mbenjamin, mburns, mcressma, mgarciac, mhackett, mhulan, mkudlej, mnewsome, mrajanna, mwringe, njean, nmoumoul, odf-bz-bot, orabin, oramraz, owatkins, pahickey, pcreech, periklis, pgrist, pjindal, rcernich, rchan, rhos-maint, rhuss, rjohnson, rogbas, saroy, sdawley, sgott, shbose, sipoyare, skontopo, slucidi, smullick, sostapov, sseago, stcannon, teagle, tjochec, twalsh, ubhargav, vereddy, vkumar, whayutin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.20.8, golang 1.21.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang. The html/template package did not properly handle HMTL-like "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This issue may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2238077, 2238078, 2238079, 2238080, 2238084, 2238085, 2238086, 2238059, 2238060, 2238061, 2238062, 2238063, 2238064, 2238065, 2238066, 2238073, 2238074, 2238075, 2238081, 2238082, 2238083, 2238088, 2238090, 2238806, 2238807, 2280689    
Bug Blocks: 2237770    

Description Patrick Del Bello 2023-09-06 20:23:01 UTC 
The html/template package did not properly handle HMTL-like "<!--" and "-->"comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
Comment 8 Anten Skrabec 2023-09-13 17:19:10 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2238806]
Affects: fedora-all [bug 2238807]
Comment 12 errata-xmlrpc 2023-10-20 16:50:05 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.4.0-RHEL-9

Via RHSA-2023:5974 https://access.redhat.com/errata/RHSA-2023:5974
Comment 13 errata-xmlrpc 2023-10-24 15:32:42 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.9

Via RHSA-2023:6085 https://access.redhat.com/errata/RHSA-2023:6085
Comment 14 errata-xmlrpc 2023-10-25 14:02:02 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:6115 https://access.redhat.com/errata/RHSA-2023:6115
Comment 15 errata-xmlrpc 2023-10-25 15:52:52 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.3 for RHEL 8

Via RHSA-2023:6119 https://access.redhat.com/errata/RHSA-2023:6119
Comment 16 errata-xmlrpc 2023-10-25 18:15:12 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8

Via RHSA-2023:6122 https://access.redhat.com/errata/RHSA-2023:6122
Comment 17 errata-xmlrpc 2023-10-26 00:48:01 UTC 
This issue has been addressed in the following products:

  RODOO-1.0-RHEL-8

Via RHSA-2023:5947 https://access.redhat.com/errata/RHSA-2023:5947
Comment 18 errata-xmlrpc 2023-10-26 18:18:18 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.2 for RHEL 8

Via RHSA-2023:6145 https://access.redhat.com/errata/RHSA-2023:6145
Comment 19 errata-xmlrpc 2023-10-26 19:20:32 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:6148 https://access.redhat.com/errata/RHSA-2023:6148
Comment 20 errata-xmlrpc 2023-10-30 02:16:21 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:6161 https://access.redhat.com/errata/RHSA-2023:6161
Comment 21 errata-xmlrpc 2023-10-30 18:15:34 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2023:6200 https://access.redhat.com/errata/RHSA-2023:6200
Comment 22 errata-xmlrpc 2023-10-30 20:14:16 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2023:6202 https://access.redhat.com/errata/RHSA-2023:6202
Comment 23 errata-xmlrpc 2023-10-31 14:02:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5009 https://access.redhat.com/errata/RHSA-2023:5009
Comment 24 errata-xmlrpc 2023-11-01 00:30:43 UTC 
This issue has been addressed in the following products:

  OSSO-1.2-RHEL-8

Via RHSA-2023:6154 https://access.redhat.com/errata/RHSA-2023:6154
Comment 25 errata-xmlrpc 2023-11-15 04:38:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:6840 https://access.redhat.com/errata/RHSA-2023:6840
Comment 26 errata-xmlrpc 2023-12-12 17:23:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7762 https://access.redhat.com/errata/RHSA-2023:7762
Comment 27 errata-xmlrpc 2023-12-12 17:23:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7764 https://access.redhat.com/errata/RHSA-2023:7764
Comment 28 errata-xmlrpc 2023-12-12 17:23:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7765 https://access.redhat.com/errata/RHSA-2023:7765
Comment 29 errata-xmlrpc 2023-12-12 17:24:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7766 https://access.redhat.com/errata/RHSA-2023:7766
Comment 30 errata-xmlrpc 2024-01-10 11:28:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121
Comment 31 errata-xmlrpc 2024-04-18 07:18:18 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 9

Via RHSA-2024:1901 https://access.redhat.com/errata/RHSA-2024:1901
Comment 32 errata-xmlrpc 2024-04-30 09:41:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2160 https://access.redhat.com/errata/RHSA-2024:2160
Comment 35 errata-xmlrpc 2024-05-22 09:27:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2988 https://access.redhat.com/errata/RHSA-2024:2988
Comment 36 errata-xmlrpc 2024-05-23 15:24:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:3352 https://access.redhat.com/errata/RHSA-2024:3352
Comment 37 errata-xmlrpc 2024-05-29 13:30:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2024:3467 https://access.redhat.com/errata/RHSA-2024:3467