Vulnerability Description
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.19.9 |
Related Weaknesses (CWE)
References
- https://go.dev/cl/491617Patch
- https://go.dev/issue/59722Issue TrackingPatch
- https://groups.google.com/g/golang-announce/c/MEb0UyuSMsUMailing ListRelease Notes
- https://pkg.go.dev/vuln/GO-2023-1753Vendor Advisory
- https://go.dev/cl/491617Patch
- https://go.dev/issue/59722Issue TrackingPatch
- https://groups.google.com/g/golang-announce/c/MEb0UyuSMsUMailing ListRelease Notes
- https://pkg.go.dev/vuln/GO-2023-1753Vendor Advisory
- https://security.netapp.com/advisory/ntap-20241213-0005/
FAQ
What is CVE-2023-29400?
CVE-2023-29400 is a vulnerability with a CVSS score of 7.3 (HIGH). Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This ma...
How severe is CVE-2023-29400?
CVE-2023-29400 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-29400?
Check the references section above for vendor advisories and patch information. Affected products include: Golang Go.