Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
Created golang tracking bugs for this issue: Affects: epel-all [bug 2196474] Affects: fedora-all [bug 2196475]
References: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU Go issue https://go.dev/issue/59722 Commits: https://github.com/golang/go/commit/0d347544cbca0f42b160424f6bc2458ebcc7b3fc [Master] https://github.com/golang/go/commit/9db0e74f606b8afb28cc71d4b1c8b4ed24cabbf5 [release-branch.go1.19] https://github.com/golang/go/commit/337dd75343145b74ed2073d793322eb4103b56ad [release-branch.go1.20]
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2023:3323 https://access.redhat.com/errata/RHSA-2023:3323
This issue has been addressed in the following products: RHACS-4.0-RHEL-8 Via RHSA-2023:3415 https://access.redhat.com/errata/RHSA-2023:3415
This issue has been addressed in the following products: RHACS-3.74-RHEL-8 Via RHSA-2023:3435 https://access.redhat.com/errata/RHSA-2023:3435
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2023:3445 https://access.redhat.com/errata/RHSA-2023:3445
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:3367 https://access.redhat.com/errata/RHSA-2023:3367
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:3540 https://access.redhat.com/errata/RHSA-2023:3540
This issue has been addressed in the following products: NETWORK-OBSERVABILITY-1.3.0-RHEL-9 Via RHSA-2023:3905 https://access.redhat.com/errata/RHSA-2023:3905
This issue has been addressed in the following products: OADP-1.1-RHEL-8 Via RHSA-2023:3918 https://access.redhat.com/errata/RHSA-2023:3918
This issue has been addressed in the following products: Service Interconnect 1 for RHEL 8 Service Interconnect 1 for RHEL 9 Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Ironic content for Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:4093 https://access.redhat.com/errata/RHSA-2023:4093
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2023:4293 https://access.redhat.com/errata/RHSA-2023:4293
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.3 for RHEL 8 Via RHSA-2023:4470 https://access.redhat.com/errata/RHSA-2023:4470
This issue has been addressed in the following products: RHOSS-1.29-RHEL-8 Via RHSA-2023:4472 https://access.redhat.com/errata/RHSA-2023:4472
This issue has been addressed in the following products: CERT-MANAGER-1.10-RHEL-9 Via RHSA-2023:4335 https://access.redhat.com/errata/RHSA-2023:4335
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:4459 https://access.redhat.com/errata/RHSA-2023:4459
This issue has been addressed in the following products: MTA-6.2-RHEL-9 MTA-6.2-RHEL-8 Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627
This issue has been addressed in the following products: RHEL-9-CNV-4.13 Via RHSA-2023:4664 https://access.redhat.com/errata/RHSA-2023:4664