Lucene search

K
amazonAmazonALAS-2023-2313
HistoryOct 16, 2023 - 1:45 p.m.

Important: golang

2023-10-1613:45:00
alas.aws.amazon.com
20
golang
html/template
http/2
xss
denial of service
cve-2023-39318
cve-2023-39319
cve-2023-39323
cve-2023-39325
cve-2023-44487

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.816

Percentile

98.4%

Issue Overview:

2024-01-03: CVE-2023-39319 was added to this advisory.

2023-10-30: CVE-2023-39318 was added to this advisory.

The html/template package does not properly handle HTML-like “” comment tokens, nor hashbang “#!” comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack. (CVE-2023-39318)

The html/template package does not apply the proper rules for handling occurrences of “<script”, "

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.816

Percentile

98.4%