CVE-2023-24540

Aliases:GO-2023-1752BIT-golang-2023-24540

Advisory lineage Upstream: 0 Downstream: 27

Downstream

DEBIAN-CVE-2023-24540 MGASA-2023-0169 OPENSUSE-SU-2024:12907-1 OPENSUSE-SU-2024:12908-1 RHSA-2023:3318 RHSA-2023:3319

Modified

Published: 11 May 2023, 15:29

Last modified:24 Jan 2025, 16:45

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.1 (cve.org)

EPSS Score

0.29% LOW

0% probability +0.05%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

11 May 2023, 15:29

Published

Vulnerability first disclosed

24 Jan 2025, 16:45

Last Modified

Vulnerability information updated

Description

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

CVSS Metrics

v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.29%• Percentile: 53%

Techniques & Countermeasures

CWE-77•Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Affected Systems

go standard library•html/template
< 1.19.9 | ≥ 1.20.0-0, < 1.20.4
golang•go
< 1.19.9 | ≥ 1.20.0, < 1.20.4
Go•stdlib
≥ 1.20.0-0, < 1.20.4