Bug 2237776 (CVE-2023-39318)
Summary: | CVE-2023-39318 golang: html/template: improper handling of HTML-like comments within script contexts | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
Component: | vulnerability | Assignee: | Sayan Biswas <sabiswas> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abishop, amasferr, amctagga, ansmith, aoconnor, apjagtap, asatyam, aveerama, bbuckingham, bcourt, bdettelb, bniver, bodavis, chazlett, dbenoit, dcadzow, dfreiber, diagrawa, dkenigsb, dperaza, dsimansk, dymurray, eglynn, ehelms, emachado, fdeutsch, flucifre, gmeno, gparvin, ibolton, jaharrin, jburrell, jcantril, jchui, jeder, jjoyce, jkoehler, jmatthew, jmontleo, jschluet, jsherril, jwendell, kaycoth, lball, lhh, lzap, matzew, mbenjamin, mburns, mcressma, mgarciac, mhackett, mhulan, mkudlej, mnewsome, mrajanna, mwringe, njean, nmoumoul, odf-bz-bot, orabin, oramraz, owatkins, pahickey, pcreech, periklis, pgrist, pjindal, rcernich, rchan, rhos-maint, rhuss, rjohnson, rogbas, saroy, sdawley, sgott, shbose, sipoyare, skontopo, slucidi, smullick, sostapov, sseago, stcannon, teagle, tjochec, twalsh, ubhargav, vereddy, vkumar, whayutin |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | golang 1.20.8, golang 1.21.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Golang. The html/template package did not properly handle HMTL-like "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This issue may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2238077, 2238078, 2238079, 2238080, 2238084, 2238085, 2238086, 2238059, 2238060, 2238061, 2238062, 2238063, 2238064, 2238065, 2238066, 2238073, 2238074, 2238075, 2238081, 2238082, 2238083, 2238088, 2238090, 2238806, 2238807, 2280689 | ||
Bug Blocks: | 2237770 |
Description
Patrick Del Bello
2023-09-06 20:23:01 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 2238806] Affects: fedora-all [bug 2238807] This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.4.0-RHEL-9 Via RHSA-2023:5974 https://access.redhat.com/errata/RHSA-2023:5974 This issue has been addressed in the following products: Red Hat Openshift distributed tracing 2.9 Via RHSA-2023:6085 https://access.redhat.com/errata/RHSA-2023:6085 This issue has been addressed in the following products: OADP-1.1-RHEL-8 Via RHSA-2023:6115 https://access.redhat.com/errata/RHSA-2023:6115 This issue has been addressed in the following products: multicluster engine for Kubernetes 2.3 for RHEL 8 Via RHSA-2023:6119 https://access.redhat.com/errata/RHSA-2023:6119 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8 Via RHSA-2023:6122 https://access.redhat.com/errata/RHSA-2023:6122 This issue has been addressed in the following products: RODOO-1.0-RHEL-8 Via RHSA-2023:5947 https://access.redhat.com/errata/RHSA-2023:5947 This issue has been addressed in the following products: multicluster engine for Kubernetes 2.2 for RHEL 8 Via RHSA-2023:6145 https://access.redhat.com/errata/RHSA-2023:6145 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8 Via RHSA-2023:6148 https://access.redhat.com/errata/RHSA-2023:6148 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2023:6161 https://access.redhat.com/errata/RHSA-2023:6161 This issue has been addressed in the following products: multicluster engine for Kubernetes 2.1 for RHEL 8 Via RHSA-2023:6200 https://access.redhat.com/errata/RHSA-2023:6200 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8 Via RHSA-2023:6202 https://access.redhat.com/errata/RHSA-2023:6202 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2023:5009 https://access.redhat.com/errata/RHSA-2023:5009 This issue has been addressed in the following products: OSSO-1.2-RHEL-8 Via RHSA-2023:6154 https://access.redhat.com/errata/RHSA-2023:6154 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2023:6840 https://access.redhat.com/errata/RHSA-2023:6840 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7762 https://access.redhat.com/errata/RHSA-2023:7762 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7764 https://access.redhat.com/errata/RHSA-2023:7764 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7765 https://access.redhat.com/errata/RHSA-2023:7765 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7766 https://access.redhat.com/errata/RHSA-2023:7766 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121 This issue has been addressed in the following products: Service Interconnect 1 for RHEL 9 Via RHSA-2024:1901 https://access.redhat.com/errata/RHSA-2024:1901 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2160 https://access.redhat.com/errata/RHSA-2024:2160 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:2988 https://access.redhat.com/errata/RHSA-2024:2988 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2024:3352 https://access.redhat.com/errata/RHSA-2024:3352 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2024:3467 https://access.redhat.com/errata/RHSA-2024:3467 |