CVE-2024-24785
Published: 5 March 2024
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
Priority
Status
Package | Release | Status |
---|---|---|
golang
Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
golang-1.10
Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Needs triage
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
golang-1.13
Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
jammy |
Needs triage
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
golang-1.14
Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Needs triage
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
golang-1.16
Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
golang-1.17
Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Needs triage
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
golang-1.18
Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
jammy |
Needs triage
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
golang-1.19
Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
upstream |
Needs triage
|
|
golang-1.21
Launchpad, Ubuntu, Debian |
focal |
Released
(1.21.1-1~ubuntu20.04.3)
|
jammy |
Released
(1.21.1-1~ubuntu22.04.3)
|
|
mantic |
Ignored
(end of life, was needed)
|
|
noble |
Not vulnerable
(1.21.9-1)
|
|
upstream |
Released
(1.21.8-1)
|
|
golang-1.22
Launchpad, Ubuntu, Debian |
focal |
Does not exist
|
jammy |
Not vulnerable
(1.22.2-2~22.04)
|
|
mantic |
Not vulnerable
(1.22.2-2~23.10)
|
|
noble |
Not vulnerable
(1.22.1-1)
|
|
upstream |
Released
(1.22.1-1)
|
|
golang-1.6
Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
golang-1.8
Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
golang-1.9
Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
References
- https://github.com/golang/go/issues/65697
- https://github.com/golang/go/commit/056b0edcb8c152152021eebf4cf42adbfbe77992 (go1.22.1)
- https://github.com/golang/go/commit/3643147a29352ca2894fd5d0d2069bc4b4335a7e (go1.21.8)
- https://go.dev/issue/65697
- https://go.dev/cl/564196
- https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg
- https://pkg.go.dev/vuln/GO-2024-2610
- https://www.cve.org/CVERecord?id=CVE-2024-24785
- https://ubuntu.com/security/notices/USN-6886-1
- NVD
- Launchpad
- Debian