Vulnerability Details : CVE-2023-29400
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
Products affected by CVE-2023-29400
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-29400
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 50 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-29400
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.3
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
3.9
|
3.4
|
NIST |
CWE ids for CVE-2023-29400
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by:
- nvd@nist.gov (Primary)
- security@golang.org (Secondary)
References for CVE-2023-29400
-
https://go.dev/issue/59722
html/template: improper handling of empty HTML attributes · Issue #59722 · golang/go · GitHubIssue Tracking;Patch
-
https://pkg.go.dev/vuln/GO-2023-1753
GO-2023-1753 - Go PackagesVendor Advisory
-
https://go.dev/cl/491617
html/template: emit filterFailsafe for empty unquoted attr value (491617) · Gerrit Code ReviewPatch
-
https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
[security] Go 1.20.4 and Go 1.19.9 are releasedMailing List;Release Notes
Jump to