CVE-2023-24540
Published: 11 May 2023
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
golang-1.19 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Released
(1.19.2-1ubuntu1.1)
|
|
| lunar |
Released
(1.19.8-1ubuntu0.1)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support)
|
|
|
golang-1.20 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Not vulnerable
(1.20.3-1ubuntu0.1~20.04)
|
|
| jammy |
Not vulnerable
(1.20.3-1ubuntu0.1~22.04)
|
|
| kinetic |
Does not exist
|
|
| lunar |
Released
(1.20.3-1ubuntu0.1)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Released
(1.20.4-1)
|
|
| xenial |
Ignored
(end of standard support)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
- https://github.com/golang/go/issues/59721
- https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797 (go1.19.9)
- https://github.com/golang/go/commit/4a28cad66655ee01c6e944271e23c33cab021765 (go1.20.4)
- https://ubuntu.com/security/notices/USN-6140-1
- https://www.cve.org/CVERecord?id=CVE-2023-24540
- NVD
- Launchpad
- Debian