CVE-2023-29400
First published: Sun May 07 2023(Updated: )
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
Credit: security@golang.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Golang Go | <1.19.9 | |
| Golang Go | >=1.20.0<1.20.4 |
Remedy
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://go.dev/cl/491617
- https://go.dev/issue/59722
- https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
- https://pkg.go.dev/vuln/GO-2023-1753
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2196474
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2196475
- https://github.com/golang/go/commit/0d347544cbca0f42b160424f6bc2458ebcc7b3fc
- https://github.com/golang/go/commit/9db0e74f606b8afb28cc71d4b1c8b4ed24cabbf5
- https://github.com/golang/go/commit/337dd75343145b74ed2073d793322eb4103b56ad
- https://access.redhat.com/errata/RHSA-2023:3323
- https://access.redhat.com/errata/RHSA-2023:3415
- https://access.redhat.com/errata/RHSA-2023:3435
- https://access.redhat.com/errata/RHSA-2023:3445
- https://access.redhat.com/errata/RHSA-2023:3367
- https://access.redhat.com/errata/RHSA-2023:3540
- https://access.redhat.com/errata/RHSA-2023:3905
- https://access.redhat.com/errata/RHSA-2023:3918
- https://access.redhat.com/errata/RHSA-2023:4003
- https://access.redhat.com/errata/RHSA-2023:4093
- https://access.redhat.com/errata/RHSA-2023:4293
- https://access.redhat.com/errata/RHSA-2023:4470
- https://access.redhat.com/errata/RHSA-2023:4472
- https://access.redhat.com/errata/RHSA-2023:4335
- https://access.redhat.com/errata/RHSA-2023:4459
- https://access.redhat.com/errata/RHSA-2023:4627
- https://access.redhat.com/errata/RHSA-2023:4664
- https://access.redhat.com/errata/RHSA-2023:4657
- https://access.redhat.com/errata/RHSA-2023:5421
- https://access.redhat.com/errata/RHSA-2023:5442
- https://access.redhat.com/errata/RHSA-2023:5947
- https://access.redhat.com/errata/RHSA-2023:6346
- https://access.redhat.com/errata/RHSA-2023:6363
- https://access.redhat.com/errata/RHSA-2023:6402
- https://access.redhat.com/errata/RHSA-2023:6473
- https://access.redhat.com/errata/RHSA-2023:6474
- https://access.redhat.com/errata/RHSA-2023:6832
- https://access.redhat.com/errata/RHSA-2023:6938
- https://access.redhat.com/errata/RHSA-2023:6939
- https://bugzilla.redhat.com/show_bug.cgi?id=2196029
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2023-29400.
What is the severity level of CVE-2023-29400?
The severity level of CVE-2023-29400 is high with a score of 7.3.
What is the description of CVE-2023-29400?
CVE-2023-29400 is a vulnerability where templates containing actions in unquoted HTML attributes executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules, allowing injection of arbitrary attributes into tags.
Which software versions are affected by CVE-2023-29400?
The affected software versions are golang 1.19.9 and golang 1.20.4 (up to exclusive).
Are there any references available for CVE-2023-29400?
Yes, you can find references for CVE-2023-29400 at the following links: [link1](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2196474), [link2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2196475), [link3](https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-29400
- agent/software-canonical-lookup
- vendor/golang
- canonical/golang go
- version/golang go/1.20.0
- package-manager/redhat