Bug 2237773 (CVE-2023-39319) - CVE-2023-39319 golang: html/template: improper handling of special tags within script contexts
Summary: CVE-2023-39319 golang: html/template: improper handling of special tags withi...
Keywords:
Status: NEW
Alias: CVE-2023-39319
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Sayan Biswas
QA Contact:
URL:
Whiteboard:
Depends On: 2238077 2238078 2238079 2238080 2238084 2238086 2238059 2238060 2238061 2238062 2238063 2238064 2238065 2238066 2238073 2238074 2238075 2238081 2238082 2238083 2238085 2238088 2238090 2238802 2238803 2280689
Blocks: 2237770
TreeView+ depends on / blocked
 
Reported: 2023-09-06 20:15 UTC by Patrick Del Bello
Modified: 2025-05-06 08:29 UTC (History)
89 users (show)

Fixed In Version: golang 1.20.8, golang 1.21.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:3469 0 None None None 2024-05-29 14:32:41 UTC
Red Hat Product Errata RHSA-2023:5009 0 None None None 2023-10-31 14:02:16 UTC
Red Hat Product Errata RHSA-2023:5947 0 None None None 2023-10-26 00:48:04 UTC
Red Hat Product Errata RHSA-2023:5974 0 None None None 2023-10-20 16:50:11 UTC
Red Hat Product Errata RHSA-2023:6085 0 None None None 2023-10-24 15:32:47 UTC
Red Hat Product Errata RHSA-2023:6115 0 None None None 2023-10-25 14:02:10 UTC
Red Hat Product Errata RHSA-2023:6119 0 None None None 2023-10-25 15:52:59 UTC
Red Hat Product Errata RHSA-2023:6122 0 None None None 2023-10-25 18:15:18 UTC
Red Hat Product Errata RHSA-2023:6145 0 None None None 2023-10-26 18:18:26 UTC
Red Hat Product Errata RHSA-2023:6148 0 None None None 2023-10-26 19:20:39 UTC
Red Hat Product Errata RHSA-2023:6154 0 None None None 2023-11-01 00:30:49 UTC
Red Hat Product Errata RHSA-2023:6161 0 None None None 2023-10-30 02:16:27 UTC
Red Hat Product Errata RHSA-2023:6200 0 None None None 2023-10-30 18:15:41 UTC
Red Hat Product Errata RHSA-2023:6202 0 None None None 2023-10-30 20:14:23 UTC
Red Hat Product Errata RHSA-2023:6840 0 None None None 2023-11-15 04:38:11 UTC
Red Hat Product Errata RHSA-2023:7762 0 None None None 2023-12-12 17:23:20 UTC
Red Hat Product Errata RHSA-2023:7764 0 None None None 2023-12-12 17:23:44 UTC
Red Hat Product Errata RHSA-2023:7765 0 None None None 2023-12-12 17:24:03 UTC
Red Hat Product Errata RHSA-2023:7766 0 None None None 2023-12-12 17:24:50 UTC
Red Hat Product Errata RHSA-2024:0121 0 None None None 2024-01-10 11:28:18 UTC
Red Hat Product Errata RHSA-2024:1901 0 None None None 2024-04-18 07:18:24 UTC
Red Hat Product Errata RHSA-2024:2160 0 None None None 2024-04-30 09:41:23 UTC
Red Hat Product Errata RHSA-2024:2988 0 None None None 2024-05-22 09:27:47 UTC
Red Hat Product Errata RHSA-2024:3352 0 None None None 2024-05-23 15:24:51 UTC
Red Hat Product Errata RHSA-2024:3467 0 None None None 2024-05-29 13:30:29 UTC

Description Patrick Del Bello 2023-09-06 20:15:59 UTC 
The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
Comment 8 Anten Skrabec 2023-09-13 17:16:45 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2238802]
Affects: fedora-all [bug 2238803]
Comment 13 errata-xmlrpc 2023-10-20 16:50:05 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.4.0-RHEL-9

Via RHSA-2023:5974 https://access.redhat.com/errata/RHSA-2023:5974
Comment 14 errata-xmlrpc 2023-10-24 15:32:41 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.9

Via RHSA-2023:6085 https://access.redhat.com/errata/RHSA-2023:6085
Comment 15 errata-xmlrpc 2023-10-25 14:02:02 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:6115 https://access.redhat.com/errata/RHSA-2023:6115
Comment 16 errata-xmlrpc 2023-10-25 15:52:51 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.3 for RHEL 8

Via RHSA-2023:6119 https://access.redhat.com/errata/RHSA-2023:6119
Comment 17 errata-xmlrpc 2023-10-25 18:15:12 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8

Via RHSA-2023:6122 https://access.redhat.com/errata/RHSA-2023:6122
Comment 18 errata-xmlrpc 2023-10-26 00:47:58 UTC 
This issue has been addressed in the following products:

  RODOO-1.0-RHEL-8

Via RHSA-2023:5947 https://access.redhat.com/errata/RHSA-2023:5947
Comment 19 errata-xmlrpc 2023-10-26 18:18:18 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.2 for RHEL 8

Via RHSA-2023:6145 https://access.redhat.com/errata/RHSA-2023:6145
Comment 20 errata-xmlrpc 2023-10-26 19:20:32 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:6148 https://access.redhat.com/errata/RHSA-2023:6148
Comment 21 errata-xmlrpc 2023-10-30 02:16:20 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:6161 https://access.redhat.com/errata/RHSA-2023:6161
Comment 22 errata-xmlrpc 2023-10-30 18:15:34 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2023:6200 https://access.redhat.com/errata/RHSA-2023:6200
Comment 23 errata-xmlrpc 2023-10-30 20:14:16 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2023:6202 https://access.redhat.com/errata/RHSA-2023:6202
Comment 24 errata-xmlrpc 2023-10-31 14:02:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5009 https://access.redhat.com/errata/RHSA-2023:5009
Comment 25 errata-xmlrpc 2023-11-01 00:30:43 UTC 
This issue has been addressed in the following products:

  OSSO-1.2-RHEL-8

Via RHSA-2023:6154 https://access.redhat.com/errata/RHSA-2023:6154
Comment 26 errata-xmlrpc 2023-11-15 04:38:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:6840 https://access.redhat.com/errata/RHSA-2023:6840
Comment 27 errata-xmlrpc 2023-12-12 17:23:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7762 https://access.redhat.com/errata/RHSA-2023:7762
Comment 28 errata-xmlrpc 2023-12-12 17:23:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7764 https://access.redhat.com/errata/RHSA-2023:7764
Comment 29 errata-xmlrpc 2023-12-12 17:23:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7765 https://access.redhat.com/errata/RHSA-2023:7765
Comment 30 errata-xmlrpc 2023-12-12 17:24:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7766 https://access.redhat.com/errata/RHSA-2023:7766
Comment 31 errata-xmlrpc 2024-01-10 11:28:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121
Comment 33 errata-xmlrpc 2024-04-18 07:18:18 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 9

Via RHSA-2024:1901 https://access.redhat.com/errata/RHSA-2024:1901
Comment 34 errata-xmlrpc 2024-04-30 09:41:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2160 https://access.redhat.com/errata/RHSA-2024:2160
Comment 37 errata-xmlrpc 2024-05-22 09:27:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2988 https://access.redhat.com/errata/RHSA-2024:2988
Comment 38 errata-xmlrpc 2024-05-23 15:24:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:3352 https://access.redhat.com/errata/RHSA-2024:3352
Comment 39 errata-xmlrpc 2024-05-29 13:30:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2024:3467 https://access.redhat.com/errata/RHSA-2024:3467
Note You need to log in before you can comment on or make changes to this bug.