2268022 – (CVE-2024-24785) CVE-2024-24785 golang: html/template: errors returned from MarshalJSON methods may break template escaping

Bug 2268022 (CVE-2024-24785) - CVE-2024-24785 golang: html/template: errors returned from MarshalJSON methods may break template escaping

Summary: CVE-2024-24785 golang: html/template: errors returned from MarshalJSON method...

Keywords:
Status:	NEW
Alias:	CVE-2024-24785
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2268254 2268255 2268256 2276484 2276485 2276486 2276487 2276488 2276489 2276490 2276491 2276492 2276493 2276494 2280891 2276495
Blocks:	2268016
TreeView+	depends on / blocked

Reported:	2024-03-06 02:11 UTC by Robb Gatica
Modified:	2024-05-16 21:12 UTC (History)
CC List:	105 users (show)
Fixed In Version:	go 1.21.8, go 1.22.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Go's html/template standard library package. If errors returned from MarshalJSON methods contain user-controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing subsequent actions to inject unexpected content into templates.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:2562	0	None	None	None	2024-04-30 14:39:52 UTC

Description Robb Gatica 2024-03-06 02:11:26 UTC

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the
html/template package, allowing for subsequent actions to inject unexpected content into templates.

https://github.com/golang/go/issues/65697

Comment 3 Robb Gatica 2024-03-06 19:47:39 UTC

Created golang tracking bugs for this issue:

Affects: epel-all [bug 2268255]
Affects: fedora-all [bug 2268254]

Comment 14 errata-xmlrpc 2024-04-30 14:39:46 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2562 https://access.redhat.com/errata/RHSA-2024:2562

Note You need to log in before you can comment on or make changes to this bug.

abishop
adudiak
amasferr
amctagga
ansmith
aoconnor
apjagtap
asatyam
aveerama
bdettelb
bniver
bodavis
chazlett
davidn
dbenoit
dfreiber
dhanak
diagrawa
dkenigsb
dperaza
drow
dsimansk
dymurray
eglynn
emachado
epacific
fdeutsch
flucifre
ganandan
gmeno
gparvin
ibolton
jaharrin
jburrell
jcammara
jcantril
jchui
jeder
jhardy
jjoyce
jmatthew
jmontleo
jneedle
jobarker
joelsmith
jschluet
kaycoth
kingland
kshier
kverlaen
lbainbri
lhh
lsvaty
mabashia
matzew
mbenjamin
mbocek
mburns
mgarciac
mhackett
mkudlej
mnewsome
mnovotny
mrajanna
mwringe
njean
odf-bz-bot
omaciel
oramraz
osapryki
owatkins
pahickey
peholase
periklis
pgrist
pierdipi
pjindal
rgarg
rguimara
rhaigner
rhos-maint
rhuss
rjohnson
sabiswas
saroy
sdawley
shbose
sidakwo
simaishi
sipoyare
skontopo
slucidi
smcdonal
smullick
sostapov
sseago
stcannon
teagle
tjochec
ubhargav
vereddy
vkumar
whayutin
yguenane
zsadeh