CVE-2023-39318
published 2023-09-08CVE-2023-39318: The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts. This may cause the template…
PriorityP424medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.81%
52.5th percentile
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts. This may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-1.15 | — | — |
| debian | golang-1.19 | — | — |
| go_standard_library | html_template | < 1.20.8 | 1.20.8 |
| go_standard_library | html_template | >= 1.21.0-0 < 1.21.1 | 1.21.1 |
| golang | go | < 1.20.8 | 1.20.8 |
| golang | go | >= 1.21.0 < 1.21.1 | 1.21.1 |
| msrc | azl3_gcc_13.2.0-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.20.10-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.22.10-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.23.9-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_golang_1.24.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | azl3_tensorflow_2.16.1-9_on_azure_linux_3.0 | — | — |
| msrc | cbl2_golang_1.17.13-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.18.8-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.20.10-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_golang_1.21.6-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_msft-golang_1.20.10-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_tensorflow_2.11.1-2_on_cbl_mariner_2.0 | — | — |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian6.1MEDIUM
vendor_msrc6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
golang-1.18 vulnerabilities
osv·2024-11-14·CVSS 7.5
CVE-2022-41723 [HIGH] golang-1.18 vulnerabilities
golang-1.18 vulnerabilities
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
OSV
golang-1.17 vulnerabilities
osv·2024-10-10·CVSS 9.8
CVE-2023-24531 [CRITICAL] golang-1.17 vulnerabilities
golang-1.17 vulnerabilities
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
arbitrary commands. (CVE-2023-24531)
Sohom Datta discovered that Go did not properly validate backticks (`) as
Javascript string delimiters, and did not escape them as expected. An
attacker could possibly use this issue to inject arbitrary Javascript code
into the Go template. (CVE-2023-24538)
Juho Nurminen discovered that Go incorrectly handled certain special
characters in directory or file paths. An attacker could possibly use
this issue to inject code into the resulting binaries. (CVE-2023-29402)
Vincent Dehors discovered that Go incorrectly handled permission bits.
An attacker could possibly use this issue
OSV
Go vulnerabilities
osv·2024-01-11·CVSS 6.1
CVE-2023-39318 [MEDIUM] Go vulnerabilities
Go vulnerabilities
Takeshi Kaneko discovered that Go did not properly handle comments and
special tags in the script context of html/template module. An attacker
could possibly use this issue to inject Javascript code and perform a cross
site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319)
It was discovered that Go did not properly validate the "//go:cgo_"
directives during compilation. An attacker could possibly use this issue to
inject arbitrary code during compile time. (CVE-2023-39323)
It was discovered that Go did not limit the number of simultaneously
executing handler goroutines in the net/http module. An attacker could
possibly use this issue to cause a panic resulting into a denial of se
GHSA
GHSA-vq7j-gx56-rxjh: The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts
ghsa_unreviewed·2023-09-08
CVE-2023-39318 [MEDIUM] CWE-79 GHSA-vq7j-gx56-rxjh: The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts. This may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.
OSV
CVE-2023-39318: The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts
osv·2023-09-08·CVSS 6.1
CVE-2023-39318 [MEDIUM] CVE-2023-39318: The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts. This may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.
OSV
Improper handling of HTML-like comments in script contexts in html/template
osv·2023-09-07
CVE-2023-39318 Improper handling of HTML-like comments in script contexts in html/template
Improper handling of HTML-like comments in script contexts in html/template
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts. This may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-11-14·CVSS 7.5
CVE-2023-29405 [HIGH] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Philippe Antoine discovered that Go incorrectly handled crafted HTTP/2
streams. An attacker could possibly use this issue to cause a denial of
service. (CVE-2022-41723)
Marten Seemann discovered that Go did not properly manage memory under
certain circumstances. An attacker could possibly use this issue to cause
a panic resulting in a denial of service. (CVE-2022-41724)
Ameya Darshan and Jakob Ackermann discovered that Go did not properly
validate the amount of memory and disk files ReadForm can consume. An
attacker could possibly use this issue to cause a panic resulting in a
denial of service. (CVE-2022-41725)
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables
Palo Alto
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-11-01·CVSS 9.8
CVE-2017-12424 [CRITICAL] PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-12424, CVE-2021-3114, CVE-2021-31525, CVE-2021-33195, CVE-2021-33197, CVE-2021-33198, CVE-2021-34558, CVE-2021-36221, CVE-2021-4034, CVE-2021-44716, CVE-2021-44717, CVE-2022-1664, CVE-2022-1705, CVE-2022-23772, CVE-2022-24675, CVE-2022-24921, CVE-2022-28327, CVE-2022-2880, CVE-2022-29526, CVE-2022-30629, CVE-2022-30631, CVE-2022-30632, CVE-2022-32148, CVE-2022-32189, CVE-2022-41715, CVE-2022-41717, CVE-2022-41724, CVE-2022-41725, CVE-2023-24534, CVE-2023-24536, CVE-2023-24539, CVE-2023-29406, CVE-2023-29409, CVE-2023-39
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-10-10·CVSS 9.8
CVE-2023-29405 [CRITICAL] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Hunter Wittenborn discovered that Go incorrectly handled the sanitization
of environment variables. An attacker could possibly use this issue to run
arbitrary commands. (CVE-2023-24531)
Sohom Datta discovered that Go did not properly validate backticks (`) as
Javascript string delimiters, and did not escape them as expected. An
attacker could possibly use this issue to inject arbitrary Javascript code
into the Go template. (CVE-2023-24538)
Juho Nurminen discovered that Go incorrectly handled certain special
characters in directory or file paths. An attacker could possibly use
this issue to inject code into the resulting binaries. (CVE-2023-29402)
Vincent Dehors discovered that Go incorrectly handled permissio
Ubuntu
Go vulnerabilities
vendor_ubuntu·2024-01-11·CVSS 6.1
CVE-2023-39326 [MEDIUM] Go vulnerabilities
Title: Go vulnerabilities
Summary: Several security issues were fixed in Go.
Takeshi Kaneko discovered that Go did not properly handle comments and
special tags in the script context of html/template module. An attacker
could possibly use this issue to inject Javascript code and perform a cross
site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS,
Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-39318, CVE-2023-39319)
It was discovered that Go did not properly validate the "//go:cgo_"
directives during compilation. An attacker could possibly use this issue to
inject arbitrary code during compile time. (CVE-2023-39323)
It was discovered that Go did not limit the number of simultaneously
executing handler goroutines in the net/http module. An attacker could
possibly us
Microsoft
Improper handling of HTML-like comments in script contexts in html/template
vendor_msrc·2023-09-12·CVSS 6.1
CVE-2023-39318 [MEDIUM] CWE-79 Improper handling of HTML-like comments in script contexts in html/template
Improper handling of HTML-like comments in script contexts in html/template
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Go: Go
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference:
Red Hat
golang: html/template: improper handling of HTML-like comments within script contexts
vendor_redhat·2023-09-06·CVSS 6.1
CVE-2023-39318 [MEDIUM] CWE-79 golang: html/template: improper handling of HTML-like comments within script contexts
golang: html/template: improper handling of HTML-like comments within script contexts
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts. This may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.
A flaw was found in Golang. The html/template package did not properly handle HMTL-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts. This issue may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped.
Package: cert-manager/cert-manager-operator-rhel9 (cert-manager Operator for Red Hat OpenShift) - Not affected
Package: c
Debian
CVE-2023-39318: golang-1.15 - The html/template package does not properly handle HTML-like "" comment tokens, ...
vendor_debian·2023·CVSS 6.1
CVE-2023-39318 [MEDIUM] CVE-2023-39318: golang-1.15 - The html/template package does not properly handle HTML-like "" comment tokens, ...
The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in contexts. This may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.
Scope: local
bullseye: open
No detection rules found.
No public exploits indexed.
https://go.dev/cl/526156https://go.dev/issue/62196https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJhttps://pkg.go.dev/vuln/GO-2023-2041https://security.gentoo.org/glsa/202311-09https://security.netapp.com/advisory/ntap-20231020-0009/https://go.dev/cl/526156https://go.dev/issue/62196https://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJhttps://pkg.go.dev/vuln/GO-2023-2041https://security.gentoo.org/glsa/202311-09https://security.netapp.com/advisory/ntap-20231020-0009/
2023-09-08
Published