CVE-2023-24540

Published: May 11, 2023Modified: Jan 24, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

Affected (2)

Products: Golang: Go

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Golang Go	Before 1.19.9
Golang Go	From 1.20.0 to 1.20.4

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (9)

https://go.dev/cl/491616

Source: security@golang.org

Patch

https://go.dev/issue/59721

Source: security@golang.org

Issue TrackingPatch

https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU

Source: security@golang.org

Mailing ListRelease Notes

https://pkg.go.dev/vuln/GO-2023-1752

Source: security@golang.org

Vendor Advisory

https://go.dev/cl/491616

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://go.dev/issue/59721

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatch

https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListRelease Notes

https://pkg.go.dev/vuln/GO-2023-1752

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://security.netapp.com/advisory/ntap-20241115-0008/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.