CVE-2023-24538
published 2023-04-06CVE-2023-24538: Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS…
PriorityP349critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.28%
81.0th percentile
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | < golang-1.19 1.19.8-2 (bookworm) | golang-1.19 1.19.8-2 (bookworm) |
| debian | golang-1.19 | < golang-1.19 1.19.8-2 (bookworm) | golang-1.19 1.19.8-2 (bookworm) |
| golang | go | < 1.19.8 | 1.19.8 |
| golang | go | >= 1.20.0 < 1.20.3 | 1.20.3 |
| msrc | azl3_gcc_13.2.0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.19.8-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.7-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_golang_1.17.13-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.19.8-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.21.6-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.20.11-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
| paloalto | pan-os | — | — |
| zabbix | zabbix | 5.0.0 – 5.0.34 | — |
| zabbix | zabbix | 6.0.0 – 6.0.17 | — |
| zabbix | zabbix | 6.4.0 – 6.4.2 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
golang-1.17 vulnerabilities
osv·2024-10-10·CVSS 9.8
CVE-2023-24531 [CRITICAL] golang-1.17 vulnerabilities
golang-1.17 vulnerabilities
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
arbitrary commands. (CVE-2023-24531)
Sohom Datta discovered that Go did not properly validate backticks (`) as
Javascript string delimiters, and did not escape them as expected. An
attacker could possibly use this issue to inject arbitrary Javascript code
into the Go template. (CVE-2023-24538)
Juho Nurminen discovered that Go incorrectly handled certain special
characters in directory or file paths. An attacker could possibly use
this issue to inject code into the resulting binaries. (CVE-2023-29402)
Vincent Dehors discovered that Go incorrectly handled permission bits.
An attacker could possibly use this issue
OSV
golang-1.13, golang-1.16 vulnerabilities
osv·2024-01-09·CVSS 6.5
CVE-2022-29526 [MEDIUM] golang-1.13, golang-1.16 vulnerabilities
golang-1.13, golang-1.16 vulnerabilities
USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides
the corresponding updates for Go 1.13 and Go 1.16.
CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16.
Original advisory details:
It was discovered that the Go net/http module incorrectly handled
Transfer-Encoding headers in the HTTP/1 client. A remote attacker could
possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2022-1705)
It was discovered that Go did not properly manage memory under certain
circumstances. An attacker could possibly use this issue to cause a panic
resulting into a denial of service. (CVE-2022-1962, CVE-2022-27664,
CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632,
CVE-2022-30633, CVE-2022-30635, CVE-2022-3218
OSV
golang-1.18 vulnerabilities
osv·2023-04-25·CVSS 6.5
CVE-2022-1705 [MEDIUM] golang-1.18 vulnerabilities
golang-1.18 vulnerabilities
It was discovered that the Go net/http module incorrectly handled
Transfer-Encoding headers in the HTTP/1 client. A remote attacker could
possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2022-1705)
It was discovered that Go did not properly manage memory under certain
circumstances. An attacker could possibly use this issue to cause a panic
resulting into a denial of service. (CVE-2022-1962, CVE-2022-27664,
CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632,
CVE-2022-30633, CVE-2022-30635, CVE-2022-32189, CVE-2022-41715,
CVE-2022-41717, CVE-2023-24534, CVE-2023-24537)
It was discovered that Go did not properly implemented the maximum size of
file headers in Reader.Read. An attacker could possibly use this issue to
cause a
OSV
CVE-2023-24538: Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected
osv·2023-04-06·CVSS 9.8
CVE-2023-24538 [CRITICAL] CVE-2023-24538: Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an Erro
GHSA
GHSA-v4m2-x4rp-hv22: Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected
ghsa_unreviewed·2023-04-06
CVE-2023-24538 [CRITICAL] CWE-94 GHSA-v4m2-x4rp-hv22: Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an Erro
OSV
Backticks not treated as string delimiters in html/template
osv·2023-04-05
CVE-2023-24538 Backticks not treated as string delimiters in html/template
Backticks not treated as string delimiters in html/template
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected.
Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template.
As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml.
With fix, Template.Parse retur
Palo Alto
PAN-SA-2024-0012 Informational Bulletin: OSS CVEs fixed in PAN-OS
vendor_paloalto·2024-10-29·CVSS 9.8
CVE-2019-17006 [CRITICAL] PAN-SA-2024-0012 Informational Bulletin: OSS CVEs fixed in PAN-OS
PAN-SA-2024-0012 Informational Bulletin: OSS CVEs fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2019-17006 This CVE is fixed in PAN-OS 10.2.0, and all later versions of PAN-OS. CVE-2021-3518 This CVE is fixed in PAN-OS 10.2.0, and all later versions of PAN-OS. CVE-2021-25219 This CVE is fixed in PAN-OS 10.2.3, and all later versions of PAN-OS. CVE-2021-27645 This CVE is fixed in PAN-OS 10.2.8, PAN-OS 11.0.2, and all later versions of PAN-OS. CVE-2021-34798 This CVE is fixed in PAN-OS 10.2.8, PAN-OS 11.0.2, and all later versions o
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-10-10·CVSS 9.8
CVE-2023-29405 [CRITICAL] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
arbitrary commands. (CVE-2023-24531)
Sohom Datta discovered that Go did not properly validate backticks (`) as
Javascript string delimiters, and did not escape them as expected. An
attacker could possibly use this issue to inject arbitrary Javascript code
into the Go template. (CVE-2023-24538)
Juho Nurminen discovered that Go incorrectly handled certain special
characters in directory or file paths. An attacker could possibly use
this issue to inject code into the resulting binaries. (CVE-2023-29402)
Vincent Dehors discovered that Go incorrectly handled permissio
CISA ICS
Siemens SCALANCE XCM-/XRM-300
cisa_ics·2024-02-15
Siemens SCALANCE XCM-/XRM-300
ICS Advisory
##
Siemens SCALANCE XCM-/XRM-300
Release DateFebruary 15, 2024
Alert CodeICSA-24-046-11
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SCALANCE XCM-/XRM-300
- Vulnerabilities: Out-of-bounds Write, Incorrect Type Conversion or Cast, Improper Verification of Cryptographic Signature, Improper Access Control, Improper Authentication, Missing Encryption
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-01-09·CVSS 6.5
CVE-2022-2879 [MEDIUM] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides
the corresponding updates for Go 1.13 and Go 1.16.
CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16.
Original advisory details:
It was discovered that the Go net/http module incorrectly handled
Transfer-Encoding headers in the HTTP/1 client. A remote attacker could
possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2022-1705)
It was discovered that Go did not properly manage memory under certain
circumstances. An attacker could possibly use this issue to cause a panic
resulting into a denial of service. (CVE-2022-1962, CVE-2022-27664,
CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632,
CVE-2022
Ubuntu
Go vulnerabilities
vendor_ubuntu·2023-06-06·CVSS 7.5
CVE-2023-29400 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
It was discovered that Go did not properly manage memory under certain
circumstances. An attacker could possibly use this issue to cause a panic
resulting in a denial of service. This issue only affected golang-1.19 on
Ubuntu 22.10. (CVE-2022-41724, CVE-2023-24534, CVE-2023-24537)
It was discovered that Go did not properly validate the amount of memory
and disk files ReadForm can consume. An attacker could possibly use this
issue to cause a panic resulting in a denial of service. This issue only
affected golang-1.19 on Ubuntu 22.10. (CVE-2022-41725)
It was discovered that Go did not properly validate backticks (`) as
Javascript string delimiters, and did not escape them as expected. An
attacker could possibly
Ubuntu
Go vulnerabilities
vendor_ubuntu·2023-04-25·CVSS 6.5
CVE-2022-1962 [MEDIUM] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
It was discovered that the Go net/http module incorrectly handled
Transfer-Encoding headers in the HTTP/1 client. A remote attacker could
possibly use this issue to perform an HTTP Request Smuggling attack.
(CVE-2022-1705)
It was discovered that Go did not properly manage memory under certain
circumstances. An attacker could possibly use this issue to cause a panic
resulting into a denial of service. (CVE-2022-1962, CVE-2022-27664,
CVE-2022-28131, CVE-2022-30630, CVE-2022-30631, CVE-2022-30632,
CVE-2022-30633, CVE-2022-30635, CVE-2022-32189, CVE-2022-41715,
CVE-2022-41717, CVE-2023-24534, CVE-2023-24537)
It was discovered that Go did not properly implemented the maximum size of
file headers in Reader.Read. An
Microsoft
Backticks not treated as string delimiters in html/template
vendor_msrc·2023-04-11·CVSS 9.8
CVE-2023-24538 [CRITICAL] CWE-94 Backticks not treated as string delimiters in html/template
Backticks not treated as string delimiters in html/template
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.m
Red Hat
golang: html/template: backticks not treated as string delimiters
vendor_redhat·2023-04-04·CVSS 9.8
CVE-2023-24538 [CRITICAL] CWE-94 golang: html/template: backticks not treated as string delimiters
golang: html/template: backticks not treated as string delimiters
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse re
Debian
CVE-2023-24538: golang-1.15 - Templates do not properly consider backticks (`) as Javascript string delimiters...
vendor_debian·2023·CVSS 9.8
CVE-2023-24538 [CRITICAL] CVE-2023-24538: golang-1.15 - Templates do not properly consider backticks (`) as Javascript string delimiters...
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an Erro
No detection rules found.
No public exploits indexed.
https://go.dev/cl/482079https://go.dev/issue/59234https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8https://pkg.go.dev/vuln/GO-2023-1703https://security.gentoo.org/glsa/202311-09https://go.dev/cl/482079https://go.dev/issue/59234https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8https://pkg.go.dev/vuln/GO-2023-1703https://security.gentoo.org/glsa/202311-09https://security.netapp.com/advisory/ntap-20241115-0007/
2023-04-06
Published