Vulnerability Description
The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | <= 1.15 |
| Netapp | Trident | - |
Related Weaknesses (CWE)
References
- https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unsThird Party Advisory
- https://security.netapp.com/advisory/ntap-20210129-0006/Third Party Advisory
- https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unsThird Party Advisory
- https://security.netapp.com/advisory/ntap-20210129-0006/Third Party Advisory
FAQ
What is CVE-2020-29510?
CVE-2020-29510 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave i...
How severe is CVE-2020-29510?
CVE-2020-29510 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-29510?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go, Netapp Trident.