CVE-2020-29511
Published: 14 December 2020
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
Notes
| Author | Note |
|---|---|
| mdeslaur | Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. as of 2021-08-10, there likely won't be a fix for this issue by the upstream go developers |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
golang Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
| bionic |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
golang-1.6 Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
| xenial |
Deferred
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
golang-1.8 Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| bionic |
Deferred
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
golang-1.9 Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| bionic |
Deferred
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
golang-1.10 Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| bionic |
Deferred
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Deferred
|
|
| upstream |
Needs triage
|
|
| xenial |
Deferred
|
|
|
golang-1.14 Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
| focal |
Deferred
|
|
| hirsute |
Ignored
(end of life)
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| bionic |
Does not exist
|
|
| groovy |
Ignored
(end of life)
|
|
| kinetic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
golang-1.13 Launchpad, Ubuntu, Debian |
hirsute |
Ignored
(end of life)
|
| xenial |
Deferred
(2021-02-04)
|
|
| kinetic |
Ignored
(end of life, was deferred)
|
|
| jammy |
Deferred
|
|
| lunar |
Does not exist
|
|
| bionic |
Deferred
|
|
| focal |
Deferred
|
|
| groovy |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
golang-1.15 Launchpad, Ubuntu, Debian |
hirsute |
Ignored
(end of life)
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.6 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |