Bug 2237776 (CVE-2023-39318) - CVE-2023-39318 golang: html/template: improper handling of HTML-like comments within script contexts
Summary: CVE-2023-39318 golang: html/template: improper handling of HTML-like comments...
Keywords:
Status: NEW
Alias: CVE-2023-39318
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Sayan Biswas
QA Contact:
URL:
Whiteboard:
Depends On: 2238064 2238077 2238078 2238079 2238080 2238084 2238085 2238086 2238059 2238060 2238061 2238062 2238063 2238065 2238066 2238073 2238074 2238075 2238081 2238082 2238083 2238088 2238090 2238806 2238807
Blocks: 2237770
TreeView+ depends on / blocked
 
Reported: 2023-09-06 20:23 UTC by Patrick Del Bello
Modified: 2024-04-03 08:21 UTC (History)
94 users (show)

Fixed In Version: golang 1.20.8, golang 1.21.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang. The html/template package did not properly handle HMTL-like "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This issue may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:5009 0 None None None 2023-10-31 14:02:17 UTC
Red Hat Product Errata RHSA-2023:5947 0 None None None 2023-10-26 00:48:08 UTC
Red Hat Product Errata RHSA-2023:5974 0 None None None 2023-10-20 16:50:11 UTC
Red Hat Product Errata RHSA-2023:6085 0 None None None 2023-10-24 15:32:50 UTC
Red Hat Product Errata RHSA-2023:6115 0 None None None 2023-10-25 14:02:08 UTC
Red Hat Product Errata RHSA-2023:6119 0 None None None 2023-10-25 15:52:59 UTC
Red Hat Product Errata RHSA-2023:6122 0 None None None 2023-10-25 18:15:20 UTC
Red Hat Product Errata RHSA-2023:6145 0 None None None 2023-10-26 18:18:24 UTC
Red Hat Product Errata RHSA-2023:6148 0 None None None 2023-10-26 19:20:39 UTC
Red Hat Product Errata RHSA-2023:6154 0 None None None 2023-11-01 00:30:51 UTC
Red Hat Product Errata RHSA-2023:6161 0 None None None 2023-10-30 02:16:28 UTC
Red Hat Product Errata RHSA-2023:6200 0 None None None 2023-10-30 18:15:43 UTC
Red Hat Product Errata RHSA-2023:6202 0 None None None 2023-10-30 20:14:24 UTC
Red Hat Product Errata RHSA-2023:6840 0 None None None 2023-11-15 04:38:11 UTC
Red Hat Product Errata RHSA-2023:7762 0 None None None 2023-12-12 17:23:21 UTC
Red Hat Product Errata RHSA-2023:7764 0 None None None 2023-12-12 17:23:44 UTC
Red Hat Product Errata RHSA-2023:7765 0 None None None 2023-12-12 17:24:05 UTC
Red Hat Product Errata RHSA-2023:7766 0 None None None 2023-12-12 17:24:53 UTC
Red Hat Product Errata RHSA-2024:0121 0 None None None 2024-01-10 11:28:22 UTC

Description Patrick Del Bello 2023-09-06 20:23:01 UTC
The html/template package did not properly handle HMTL-like "<!--" and "-->"comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.

Comment 8 Anten Skrabec 2023-09-13 17:19:10 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2238806]
Affects: fedora-all [bug 2238807]

Comment 12 errata-xmlrpc 2023-10-20 16:50:05 UTC
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.4.0-RHEL-9

Via RHSA-2023:5974 https://access.redhat.com/errata/RHSA-2023:5974

Comment 13 errata-xmlrpc 2023-10-24 15:32:42 UTC
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.9

Via RHSA-2023:6085 https://access.redhat.com/errata/RHSA-2023:6085

Comment 14 errata-xmlrpc 2023-10-25 14:02:02 UTC
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:6115 https://access.redhat.com/errata/RHSA-2023:6115

Comment 15 errata-xmlrpc 2023-10-25 15:52:52 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.3 for RHEL 8

Via RHSA-2023:6119 https://access.redhat.com/errata/RHSA-2023:6119

Comment 16 errata-xmlrpc 2023-10-25 18:15:12 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8

Via RHSA-2023:6122 https://access.redhat.com/errata/RHSA-2023:6122

Comment 17 errata-xmlrpc 2023-10-26 00:48:01 UTC
This issue has been addressed in the following products:

  RODOO-1.0-RHEL-8

Via RHSA-2023:5947 https://access.redhat.com/errata/RHSA-2023:5947

Comment 18 errata-xmlrpc 2023-10-26 18:18:18 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.2 for RHEL 8

Via RHSA-2023:6145 https://access.redhat.com/errata/RHSA-2023:6145

Comment 19 errata-xmlrpc 2023-10-26 19:20:32 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:6148 https://access.redhat.com/errata/RHSA-2023:6148

Comment 20 errata-xmlrpc 2023-10-30 02:16:21 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:6161 https://access.redhat.com/errata/RHSA-2023:6161

Comment 21 errata-xmlrpc 2023-10-30 18:15:34 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2023:6200 https://access.redhat.com/errata/RHSA-2023:6200

Comment 22 errata-xmlrpc 2023-10-30 20:14:16 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2023:6202 https://access.redhat.com/errata/RHSA-2023:6202

Comment 23 errata-xmlrpc 2023-10-31 14:02:11 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5009 https://access.redhat.com/errata/RHSA-2023:5009

Comment 24 errata-xmlrpc 2023-11-01 00:30:43 UTC
This issue has been addressed in the following products:

  OSSO-1.2-RHEL-8

Via RHSA-2023:6154 https://access.redhat.com/errata/RHSA-2023:6154

Comment 25 errata-xmlrpc 2023-11-15 04:38:04 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:6840 https://access.redhat.com/errata/RHSA-2023:6840

Comment 26 errata-xmlrpc 2023-12-12 17:23:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7762 https://access.redhat.com/errata/RHSA-2023:7762

Comment 27 errata-xmlrpc 2023-12-12 17:23:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7764 https://access.redhat.com/errata/RHSA-2023:7764

Comment 28 errata-xmlrpc 2023-12-12 17:23:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7765 https://access.redhat.com/errata/RHSA-2023:7765

Comment 29 errata-xmlrpc 2023-12-12 17:24:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7766 https://access.redhat.com/errata/RHSA-2023:7766

Comment 30 errata-xmlrpc 2024-01-10 11:28:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121


Note You need to log in before you can comment on or make changes to this bug.