Templates containing actions in unquoted HTML attributes (e.g.
“attr={{.}}”) executed with empty input can result in output with
unexpected results when parsed due to HTML normalization rules. This may
allow injection of arbitrary attributes into tags.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.10 | noarch | golang-1.19 | < 1.19.2-1ubuntu1.1 | UNKNOWN |
ubuntu | 23.04 | noarch | golang-1.19 | < 1.19.8-1ubuntu0.1 | UNKNOWN |
ubuntu | 23.04 | noarch | golang-1.20 | < 1.20.3-1ubuntu0.1 | UNKNOWN |
github.com/golang/go/commit/337dd75343145b74ed2073d793322eb4103b56ad (go1.20.4)
github.com/golang/go/commit/9db0e74f606b8afb28cc71d4b1c8b4ed24cabbf5 (go1.19.9)
github.com/golang/go/issues/59722
groups.google.com/g/golang-announce/c/MEb0UyuSMsU
launchpad.net/bugs/cve/CVE-2023-29400
nvd.nist.gov/vuln/detail/CVE-2023-29400
security-tracker.debian.org/tracker/CVE-2023-29400
ubuntu.com/security/notices/USN-6140-1
www.cve.org/CVERecord?id=CVE-2023-29400