First published: Sun May 07 2023(Updated: )
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Credit: security@golang.org
Affected Software | Affected Version | How to fix |
---|---|---|
Golang Go | <1.19.9 | |
Golang Go | >=1.20.0<1.20.4 | |
redhat/golang | <1.19.9 | 1.19.9 |
redhat/golang | <1.20.4 | 1.20.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-24540 is a vulnerability that affects JavaScript contexts with actions that may not properly sanitize templates containing whitespace characters outside of the character set \t\n\f\r\u0020\u2028\u2029 in the Go programming language.
CVE-2023-24540 has a severity rating of 9.8 (critical).
The affected software packages are golang versions up to and excluding 1.19.9 and golang versions within the range 1.20.0 to 1.20.4.
To fix CVE-2023-24540, update to golang version 1.19.9 or install a version within the range 1.20.0 to 1.20.4.
You can find more information about CVE-2023-24540 in the following references: 1. [Bugzilla - CVE-2023-24540](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2196629) 2. [Bugzilla - CVE-2023-24540](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2196630) 3. [Golang Announce - CVE-2023-24540](https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU)