{
  "threat_severity" : "Moderate",
  "public_date" : "2023-09-06T00:00:00Z",
  "bugzilla" : {
    "description" : "golang: html/template: improper handling of HTML-like comments within script contexts",
    "id" : "2237776",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2237776"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "The html/template package does not properly handle HTML-like \"\" comment tokens, nor hashbang \"#!\" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.", "A flaw was found in Golang. The html/template package did not properly handle HMTL-like \"<!--\" and \"-->\" comment tokens, nor hashbang \"#!\" comment tokens, in <script> contexts. This issue may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped." ],
  "acknowledgement" : "Red Hat would like to thank Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Migration Toolkit for Virtualization 2.5",
    "release_date" : "2023-12-05T00:00:00Z",
    "advisory" : "RHBA-2023:7648",
    "cpe" : "cpe:/a:redhat:migration_toolkit_virtualization:2.5::el9",
    "package" : "migration-toolkit-virtualization/mtv-api-rhel9:2.5.3-11"
  }, {
    "product_name" : "NETWORK-OBSERVABILITY-1.4.0-RHEL-9",
    "release_date" : "2023-10-20T00:00:00Z",
    "advisory" : "RHSA-2023:5974",
    "cpe" : "cpe:/a:redhat:network_observ_optr:1.4.0::el9",
    "package" : "network-observability/network-observability-rhel9-operator:v1.4.0-51"
  }, {
    "product_name" : "OADP-1.1-RHEL-8",
    "release_date" : "2023-10-25T00:00:00Z",
    "advisory" : "RHSA-2023:6115",
    "cpe" : "cpe:/a:redhat:openshift_api_data_protection:1.1::el8",
    "package" : "oadp/oadp-velero-rhel8:1.1.7-6"
  }, {
    "product_name" : "OSSO-1.2-RHEL-8",
    "release_date" : "2023-11-01T00:00:00Z",
    "advisory" : "RHSA-2023:6154",
    "cpe" : "cpe:/a:redhat:openshift_secondary_scheduler:1.2::el8",
    "package" : "openshift-secondary-scheduler-operator/secondary-scheduler-operator-bundle:v1.2-8"
  }, {
    "product_name" : "OSSO-1.2-RHEL-8",
    "release_date" : "2023-11-01T00:00:00Z",
    "advisory" : "RHSA-2023:6154",
    "cpe" : "cpe:/a:redhat:openshift_secondary_scheduler:1.2::el8",
    "package" : "openshift-secondary-scheduler-operator/secondary-scheduler-operator-rhel8:v1.2-13"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHBA-2023:6928",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "go-toolset:rhel8-8090020231013032436.26eb71ac"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-01-10T00:00:00Z",
    "advisory" : "RHSA-2024:0121",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "container-tools:4.0-8090020231207142256.d7b6f4b7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-05-22T00:00:00Z",
    "advisory" : "RHSA-2024:2988",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "container-tools:rhel8-8100020240227110532.82888897"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHBA-2023:6364",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "golang-0:1.20.10-1.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-12-12T00:00:00Z",
    "advisory" : "RHSA-2023:7762",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "skopeo-2:1.13.3-3.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-12-12T00:00:00Z",
    "advisory" : "RHSA-2023:7764",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "buildah-1:1.31.3-2.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-12-12T00:00:00Z",
    "advisory" : "RHSA-2023:7765",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "podman-2:4.6.1-7.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-12-12T00:00:00Z",
    "advisory" : "RHSA-2023:7766",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "containernetworking-plugins-1:1.3.0-6.el9_3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2160",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "toolbox-0:0.0.99.5-2.el9"
  }, {
    "product_name" : "Red Hat Migration Toolkit for Containers 1.7",
    "release_date" : "2023-10-30T00:00:00Z",
    "advisory" : "RHSA-2023:6161",
    "cpe" : "cpe:/a:redhat:rhmt:1.7::el8",
    "package" : "rhmtc/openshift-velero-plugin-rhel8:v1.7.14-3"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2023-10-31T00:00:00Z",
    "advisory" : "RHSA-2023:5009",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el8",
    "package" : "buildah-1:1.29.1-10.1.rhaos4.14.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2023-10-31T00:00:00Z",
    "advisory" : "RHSA-2023:5009",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el8",
    "package" : "containernetworking-plugins-0:1.0.1-11.1.rhaos4.14.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2023-10-31T00:00:00Z",
    "advisory" : "RHSA-2023:5009",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el8",
    "package" : "podman-3:4.4.1-10.1.rhaos4.14.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2023-10-31T00:00:00Z",
    "advisory" : "RHSA-2023:5009",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el8",
    "package" : "runc-4:1.1.9-2.1.rhaos4.14.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2023-10-31T00:00:00Z",
    "advisory" : "RHSA-2023:5009",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el8",
    "package" : "skopeo-2:1.11.2-10.1.rhaos4.14.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2023-11-15T00:00:00Z",
    "advisory" : "RHSA-2023:6840",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el8",
    "package" : "openshift-clients-0:4.14.0-202311031050.p0.g9b1e0d2.assembly.stream.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2023-10-31T00:00:00Z",
    "advisory" : "RHSA-2023:5008",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el9",
    "package" : "microshift-0:4.14.0-202310261440.p0.g1586504.assembly.4.14.0.el9"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.1",
    "release_date" : "2024-05-29T00:00:00Z",
    "advisory" : "RHSA-2024:3467",
    "cpe" : "cpe:/a:redhat:openstack:16.1::el8",
    "package" : "etcd-0:3.3.23-16.el8ost"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "release_date" : "2024-05-23T00:00:00Z",
    "advisory" : "RHSA-2024:3352",
    "cpe" : "cpe:/a:redhat:openstack:16.2::el8",
    "package" : "etcd-0:3.3.23-16.el8ost"
  }, {
    "product_name" : "RHODF-4.15-RHEL-9",
    "release_date" : "2024-03-19T00:00:00Z",
    "advisory" : "RHSA-2024:1383",
    "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.15::el9",
    "package" : "odf4/cephcsi-rhel9:v4.15.0-37"
  }, {
    "product_name" : "RODOO-1.0-RHEL-8",
    "release_date" : "2023-10-26T00:00:00Z",
    "advisory" : "RHSA-2023:5947",
    "cpe" : "cpe:/a:redhat:run_once_duration_override_operator:1.0::el8",
    "package" : "run-once-duration-override-operator/run-once-duration-override-rhel8:v1.0-30"
  }, {
    "product_name" : "Service Interconnect 1 for RHEL 9",
    "release_date" : "2024-04-18T00:00:00Z",
    "advisory" : "RHSA-2024:1901",
    "cpe" : "cpe:/a:redhat:service_interconnect:1::el9",
    "package" : "service-interconnect/skupper-config-sync-rhel9:1.5.3-1"
  }, {
    "product_name" : "Service Interconnect 1 for RHEL 9",
    "release_date" : "2024-04-18T00:00:00Z",
    "advisory" : "RHSA-2024:1901",
    "cpe" : "cpe:/a:redhat:service_interconnect:1::el9",
    "package" : "service-interconnect/skupper-controller-podman-rhel9:1.5.3-1"
  }, {
    "product_name" : "Service Interconnect 1 for RHEL 9",
    "release_date" : "2024-04-18T00:00:00Z",
    "advisory" : "RHSA-2024:1901",
    "cpe" : "cpe:/a:redhat:service_interconnect:1::el9",
    "package" : "service-interconnect/skupper-flow-collector-rhel9:1.5.3-2"
  }, {
    "product_name" : "Service Interconnect 1 for RHEL 9",
    "release_date" : "2024-04-18T00:00:00Z",
    "advisory" : "RHSA-2024:1901",
    "cpe" : "cpe:/a:redhat:service_interconnect:1::el9",
    "package" : "service-interconnect/skupper-operator-bundle:1.5.3-3"
  }, {
    "product_name" : "Service Interconnect 1 for RHEL 9",
    "release_date" : "2024-04-18T00:00:00Z",
    "advisory" : "RHSA-2024:1901",
    "cpe" : "cpe:/a:redhat:service_interconnect:1::el9",
    "package" : "service-interconnect/skupper-router-rhel9:2.5.1-2"
  }, {
    "product_name" : "Service Interconnect 1 for RHEL 9",
    "release_date" : "2024-04-18T00:00:00Z",
    "advisory" : "RHSA-2024:1901",
    "cpe" : "cpe:/a:redhat:service_interconnect:1::el9",
    "package" : "service-interconnect/skupper-service-controller-rhel9:1.5.3-1"
  }, {
    "product_name" : "Service Interconnect 1 for RHEL 9",
    "release_date" : "2024-04-18T00:00:00Z",
    "advisory" : "RHSA-2024:1901",
    "cpe" : "cpe:/a:redhat:service_interconnect:1::el9",
    "package" : "service-interconnect/skupper-site-controller-rhel9:1.5.3-2"
  } ],
  "package_state" : [ {
    "product_name" : "cert-manager Operator for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "cert-manager/cert-manager-operator-rhel9",
    "cpe" : "cpe:/a:redhat:cert_manager:1"
  }, {
    "product_name" : "Cost Management Metrics Operator",
    "fix_state" : "Affected",
    "package_name" : "costmanagement-metrics-operator-container",
    "cpe" : "cpe:/a:redhat:cost_management:1"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/logging-loki-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logical Volume Manager Storage",
    "fix_state" : "Affected",
    "package_name" : "lvms4/topolvm-rhel9",
    "cpe" : "cpe:/a:redhat:lvms:4"
  }, {
    "product_name" : "Node Maintenance Operator",
    "fix_state" : "Affected",
    "package_name" : "workload-availability/node-maintenance-rhel8-operator",
    "cpe" : "cpe:/a:redhat:workload_availability_nmo:5"
  }, {
    "product_name" : "OpenShift Developer Tools and Services",
    "fix_state" : "Affected",
    "package_name" : "helm",
    "cpe" : "cpe:/a:redhat:ocp_tools"
  }, {
    "product_name" : "OpenShift Developer Tools and Services",
    "fix_state" : "Affected",
    "package_name" : "ocp-tools-4/jenkins-rhel8",
    "cpe" : "cpe:/a:redhat:ocp_tools"
  }, {
    "product_name" : "OpenShift Pipelines",
    "fix_state" : "Affected",
    "package_name" : "openshift-pipelines-client",
    "cpe" : "cpe:/a:redhat:openshift_pipelines:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-serverless-1/client-kn-rhel8",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-serverless-clients",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Affected",
    "package_name" : "openshift-golang-builder-container",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Affected",
    "package_name" : "3scale-operator-container",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Affected",
    "package_name" : "rhacm2/subctl-rhel9",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 3",
    "fix_state" : "Will not fix",
    "package_name" : "advanced-cluster-security/rhacs-main-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:3"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Affected",
    "package_name" : "advanced-cluster-security/rhacs-main-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Ceph Storage 5",
    "fix_state" : "Affected",
    "package_name" : "rhceph/rhceph-5-dashboard-rhel8",
    "cpe" : "cpe:/a:redhat:ceph_storage:5"
  }, {
    "product_name" : "Red Hat Certification for Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-certification-cnf",
    "cpe" : "cpe:/a:redhat:certifications:1::el8"
  }, {
    "product_name" : "Red Hat Certification for Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-certification-preflight",
    "cpe" : "cpe:/a:redhat:certifications:1::el8"
  }, {
    "product_name" : "Red Hat Certification Program for Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-certification-cnf",
    "cpe" : "cpe:/a:redhat:certifications:9"
  }, {
    "product_name" : "Red Hat Certification Program for Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "redhat-certification-preflight",
    "cpe" : "cpe:/a:redhat:certifications:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "grafana-pcp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "osbuild-composer",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "grafana-pcp",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "ignition",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "osbuild-composer",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "conmon",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "cri-o",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "cri-tools",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "ignition",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "sandboxed-containers",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Data Science (RHODS)",
    "fix_state" : "Will not fix",
    "package_name" : "rhods/odh-mm-rest-proxy-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_data_science"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Affected",
    "package_name" : "devspaces/udi-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift distributed tracing 2",
    "fix_state" : "Affected",
    "package_name" : "rhosdt/tempo-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Affected",
    "package_name" : "openshift-gitops-1/gitops-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat OpenShift GitOps",
    "fix_state" : "Affected",
    "package_name" : "openshift-gitops-kam",
    "cpe" : "cpe:/a:redhat:openshift_gitops:1"
  }, {
    "product_name" : "Red Hat OpenShift on AWS",
    "fix_state" : "Affected",
    "package_name" : "rosa",
    "cpe" : "cpe:/a:redhat:openshift_service_on_aws:1"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Affected",
    "package_name" : "kubevirt",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat OpenShift Virtualization 4",
    "fix_state" : "Affected",
    "package_name" : "openshift-golang-builder-container",
    "cpe" : "cpe:/a:redhat:container_native_virtualization:4"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "fix_state" : "Affected",
    "package_name" : "rhosp-rhel8/osp-director-agent",
    "cpe" : "cpe:/a:redhat:openstack:16.2"
  }, {
    "product_name" : "Red Hat OpenStack Platform 18.0",
    "fix_state" : "Not affected",
    "package_name" : "rhoso-operators/rabbitmq-cluster-rhel9-operator",
    "cpe" : "cpe:/a:redhat:openstack:18.0"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Affected",
    "package_name" : "quay/clair-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "yggdrasil-worker-forwarder",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "golang",
    "cpe" : "cpe:/a:redhat:storage:3"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "go-toolset-7-golang",
    "cpe" : "cpe:/a:redhat:storage:3"
  }, {
    "product_name" : "Self Node Remediation Operator",
    "fix_state" : "Affected",
    "package_name" : "workload-availability/self-node-remediation-rhel8-operator",
    "cpe" : "cpe:/a:redhat:workload_availability_snr:0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-39318\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-39318\nhttps://go.dev/cl/526156\nhttps://go.dev/issue/62196\nhttps://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ\nhttps://vuln.go.dev/ID/GO-2023-2041.json" ],
  "name" : "CVE-2023-39318",
  "csaw" : false
}