Bug 2237773 (CVE-2023-39319) - CVE-2023-39319 golang: html/template: improper handling of special tags within script contexts
Summary: CVE-2023-39319 golang: html/template: improper handling of special tags withi...
Keywords:
Status: NEW
Alias: CVE-2023-39319
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Sayan Biswas
QA Contact:
URL:
Whiteboard:
Depends On: 2238064 2238077 2238078 2238079 2238080 2238084 2238085 2238086 2238059 2238060 2238061 2238062 2238063 2238065 2238066 2238073 2238074 2238075 2238081 2238082 2238083 2238088 2238090 2238802 2238803
Blocks: 2237770
TreeView+ depends on / blocked
 
Reported: 2023-09-06 20:15 UTC by Patrick Del Bello
Modified: 2024-04-18 07:18 UTC (History)
96 users (show)

Fixed In Version: golang 1.20.8, golang 1.21.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang. The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This issue may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:5009 0 None None None 2023-10-31 14:02:16 UTC
Red Hat Product Errata RHSA-2023:5947 0 None None None 2023-10-26 00:48:04 UTC
Red Hat Product Errata RHSA-2023:5974 0 None None None 2023-10-20 16:50:11 UTC
Red Hat Product Errata RHSA-2023:6085 0 None None None 2023-10-24 15:32:47 UTC
Red Hat Product Errata RHSA-2023:6115 0 None None None 2023-10-25 14:02:10 UTC
Red Hat Product Errata RHSA-2023:6119 0 None None None 2023-10-25 15:52:59 UTC
Red Hat Product Errata RHSA-2023:6122 0 None None None 2023-10-25 18:15:18 UTC
Red Hat Product Errata RHSA-2023:6145 0 None None None 2023-10-26 18:18:26 UTC
Red Hat Product Errata RHSA-2023:6148 0 None None None 2023-10-26 19:20:39 UTC
Red Hat Product Errata RHSA-2023:6154 0 None None None 2023-11-01 00:30:49 UTC
Red Hat Product Errata RHSA-2023:6161 0 None None None 2023-10-30 02:16:27 UTC
Red Hat Product Errata RHSA-2023:6200 0 None None None 2023-10-30 18:15:41 UTC
Red Hat Product Errata RHSA-2023:6202 0 None None None 2023-10-30 20:14:23 UTC
Red Hat Product Errata RHSA-2023:6840 0 None None None 2023-11-15 04:38:11 UTC
Red Hat Product Errata RHSA-2023:7762 0 None None None 2023-12-12 17:23:20 UTC
Red Hat Product Errata RHSA-2023:7764 0 None None None 2023-12-12 17:23:44 UTC
Red Hat Product Errata RHSA-2023:7765 0 None None None 2023-12-12 17:24:03 UTC
Red Hat Product Errata RHSA-2023:7766 0 None None None 2023-12-12 17:24:50 UTC
Red Hat Product Errata RHSA-2024:0121 0 None None None 2024-01-10 11:28:18 UTC
Red Hat Product Errata RHSA-2024:1901 0 None None None 2024-04-18 07:18:24 UTC

Description Patrick Del Bello 2023-09-06 20:15:59 UTC
The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.

Comment 8 Anten Skrabec 2023-09-13 17:16:45 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2238802]
Affects: fedora-all [bug 2238803]

Comment 13 errata-xmlrpc 2023-10-20 16:50:05 UTC
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.4.0-RHEL-9

Via RHSA-2023:5974 https://access.redhat.com/errata/RHSA-2023:5974

Comment 14 errata-xmlrpc 2023-10-24 15:32:41 UTC
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.9

Via RHSA-2023:6085 https://access.redhat.com/errata/RHSA-2023:6085

Comment 15 errata-xmlrpc 2023-10-25 14:02:02 UTC
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:6115 https://access.redhat.com/errata/RHSA-2023:6115

Comment 16 errata-xmlrpc 2023-10-25 15:52:51 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.3 for RHEL 8

Via RHSA-2023:6119 https://access.redhat.com/errata/RHSA-2023:6119

Comment 17 errata-xmlrpc 2023-10-25 18:15:12 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8

Via RHSA-2023:6122 https://access.redhat.com/errata/RHSA-2023:6122

Comment 18 errata-xmlrpc 2023-10-26 00:47:58 UTC
This issue has been addressed in the following products:

  RODOO-1.0-RHEL-8

Via RHSA-2023:5947 https://access.redhat.com/errata/RHSA-2023:5947

Comment 19 errata-xmlrpc 2023-10-26 18:18:18 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.2 for RHEL 8

Via RHSA-2023:6145 https://access.redhat.com/errata/RHSA-2023:6145

Comment 20 errata-xmlrpc 2023-10-26 19:20:32 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:6148 https://access.redhat.com/errata/RHSA-2023:6148

Comment 21 errata-xmlrpc 2023-10-30 02:16:20 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:6161 https://access.redhat.com/errata/RHSA-2023:6161

Comment 22 errata-xmlrpc 2023-10-30 18:15:34 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2023:6200 https://access.redhat.com/errata/RHSA-2023:6200

Comment 23 errata-xmlrpc 2023-10-30 20:14:16 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2023:6202 https://access.redhat.com/errata/RHSA-2023:6202

Comment 24 errata-xmlrpc 2023-10-31 14:02:09 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5009 https://access.redhat.com/errata/RHSA-2023:5009

Comment 25 errata-xmlrpc 2023-11-01 00:30:43 UTC
This issue has been addressed in the following products:

  OSSO-1.2-RHEL-8

Via RHSA-2023:6154 https://access.redhat.com/errata/RHSA-2023:6154

Comment 26 errata-xmlrpc 2023-11-15 04:38:04 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:6840 https://access.redhat.com/errata/RHSA-2023:6840

Comment 27 errata-xmlrpc 2023-12-12 17:23:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7762 https://access.redhat.com/errata/RHSA-2023:7762

Comment 28 errata-xmlrpc 2023-12-12 17:23:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7764 https://access.redhat.com/errata/RHSA-2023:7764

Comment 29 errata-xmlrpc 2023-12-12 17:23:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7765 https://access.redhat.com/errata/RHSA-2023:7765

Comment 30 errata-xmlrpc 2023-12-12 17:24:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7766 https://access.redhat.com/errata/RHSA-2023:7766

Comment 31 errata-xmlrpc 2024-01-10 11:28:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121

Comment 33 errata-xmlrpc 2024-04-18 07:18:18 UTC
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 9

Via RHSA-2024:1901 https://access.redhat.com/errata/RHSA-2024:1901


Note You need to log in before you can comment on or make changes to this bug.