CVE-2023-24540 — Command Injection in Standard Library Html Template

CWE-77 — Command Injection CWE-176 — Improper Handling of Unicode Encoding CWE-74 — Injection9 documents8 sources

Severity

9.8CRITICALNVD

EPSS

0.2%

top 52.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library Html Template Golang GO

Timeline

PublishedMay 11

Latest updateJun 6

Description

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDgolang/go1.20.0 — 1.20.4+1

▶CVEListV5go_standard_library/html_template1.20.0-0 — 1.20.4+1

Patches

Patch: go.dev ↗Patch: go.dev ↗Patch: go.dev ↗

🔴Vulnerability Details

CVEList

Improper handling of JavaScript whitespace in html/template↗2023-05-11

▶

GHSA

GHSA-7qhm-5mxq-x7vp: Not all valid JavaScript whitespace characters are considered to be whitespace↗2023-05-11

▶

OSV

CVE-2023-24540: Not all valid JavaScript whitespace characters are considered to be whitespace↗2023-05-11

▶

OSV

Improper handling of JavaScript whitespace in html/template↗2023-05-05

▶

📋Vendor Advisories

Ubuntu

Go vulnerabilities↗2023-06-06

▶

Microsoft

Improper handling of JavaScript whitespace in html/template↗2023-05-09

▶

Red Hat

golang: html/template: improper handling of JavaScript whitespace↗2023-04-20

▶

Debian

CVE-2023-24540: golang-1.15 - Not all valid JavaScript whitespace characters are considered to be whitespace. ...↗2023

▶