{ "threat_severity" : "Moderate", "public_date" : "2023-09-06T00:00:00Z", "bugzilla" : { "description" : "golang: html/template: improper handling of special tags within script contexts", "id" : "2237773", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2237773" }, "cvss3" : { "cvss3_base_score" : "6.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-79", "details" : [ "The html/template package does not apply the proper rules for handling occurrences of \" contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.", "A flaw was found in Golang. The html/template package did not apply the proper rules for handling occurrences of \" contexts. This issue may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped." ], "acknowledgement" : "Red Hat would like to thank Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.", "affected_release" : [ { "product_name" : "Migration Toolkit for Virtualization 2.5", "release_date" : "2023-12-05T00:00:00Z", "advisory" : "RHBA-2023:7648", "cpe" : "cpe:/a:redhat:migration_toolkit_virtualization:2.5::el9", "package" : "migration-toolkit-virtualization/mtv-api-rhel9:2.5.3-11" }, { "product_name" : "NETWORK-OBSERVABILITY-1.4.0-RHEL-9", "release_date" : "2023-10-20T00:00:00Z", "advisory" : "RHSA-2023:5974", "cpe" : "cpe:/a:redhat:network_observ_optr:1.4.0::el9", "package" : "network-observability/network-observability-rhel9-operator:v1.4.0-51" }, { "product_name" : "OADP-1.1-RHEL-8", "release_date" : "2023-10-25T00:00:00Z", "advisory" : "RHSA-2023:6115", "cpe" : "cpe:/a:redhat:openshift_api_data_protection:1.1::el8", "package" : "oadp/oadp-velero-rhel8:1.1.7-6" }, { "product_name" : "OSSO-1.2-RHEL-8", "release_date" : "2023-11-01T00:00:00Z", "advisory" : "RHSA-2023:6154", "cpe" : "cpe:/a:redhat:openshift_secondary_scheduler:1.2::el8", "package" : "openshift-secondary-scheduler-operator/secondary-scheduler-operator-bundle:v1.2-8" }, { "product_name" : "OSSO-1.2-RHEL-8", "release_date" : "2023-11-01T00:00:00Z", "advisory" : "RHSA-2023:6154", "cpe" : "cpe:/a:redhat:openshift_secondary_scheduler:1.2::el8", "package" : "openshift-secondary-scheduler-operator/secondary-scheduler-operator-rhel8:v1.2-13" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHBA-2023:6928", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "go-toolset:rhel8-8090020231013032436.26eb71ac" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-01-10T00:00:00Z", "advisory" : "RHSA-2024:0121", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "container-tools:4.0-8090020231207142256.d7b6f4b7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-22T00:00:00Z", "advisory" : "RHSA-2024:2988", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "container-tools:rhel8-8100020240227110532.82888897" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-11-07T00:00:00Z", "advisory" : "RHBA-2023:6364", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "golang-0:1.20.10-1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-12-12T00:00:00Z", "advisory" : "RHSA-2023:7762", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "skopeo-2:1.13.3-3.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-12-12T00:00:00Z", "advisory" : "RHSA-2023:7764", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "buildah-1:1.31.3-2.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-12-12T00:00:00Z", "advisory" : "RHSA-2023:7765", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "podman-2:4.6.1-7.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-12-12T00:00:00Z", "advisory" : "RHSA-2023:7766", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "containernetworking-plugins-1:1.3.0-6.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2160", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "toolbox-0:0.0.99.5-2.el9" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.7", "release_date" : "2023-10-30T00:00:00Z", "advisory" : "RHSA-2023:6161", "cpe" : "cpe:/a:redhat:rhmt:1.7::el8", "package" : "rhmtc/openshift-velero-plugin-rhel8:v1.7.14-3" }, { "product_name" : "Red Hat OpenShift Container Platform 4.14", "release_date" : "2023-10-31T00:00:00Z", "advisory" : "RHSA-2023:5009", "cpe" : "cpe:/a:redhat:openshift:4.14::el8", "package" : "buildah-1:1.29.1-10.1.rhaos4.14.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.14", "release_date" : "2023-10-31T00:00:00Z", "advisory" : "RHSA-2023:5009", "cpe" : "cpe:/a:redhat:openshift:4.14::el8", "package" : "containernetworking-plugins-0:1.0.1-11.1.rhaos4.14.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.14", "release_date" : "2023-10-31T00:00:00Z", "advisory" : "RHSA-2023:5009", "cpe" : "cpe:/a:redhat:openshift:4.14::el8", "package" : "podman-3:4.4.1-10.1.rhaos4.14.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.14", "release_date" : "2023-10-31T00:00:00Z", "advisory" : "RHSA-2023:5009", "cpe" : "cpe:/a:redhat:openshift:4.14::el8", "package" : "skopeo-2:1.11.2-10.1.rhaos4.14.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.14", "release_date" : "2023-11-15T00:00:00Z", "advisory" : "RHSA-2023:6840", "cpe" : "cpe:/a:redhat:openshift:4.14::el8", "package" : "openshift-clients-0:4.14.0-202311031050.p0.g9b1e0d2.assembly.stream.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.14", "release_date" : "2023-10-31T00:00:00Z", "advisory" : "RHSA-2023:5008", "cpe" : "cpe:/a:redhat:openshift:4.14::el9", "package" : "microshift-0:4.14.0-202310261440.p0.g1586504.assembly.4.14.0.el9" }, { "product_name" : "Red Hat OpenStack Platform 16.1", "release_date" : "2024-05-29T00:00:00Z", "advisory" : "RHSA-2024:3467", "cpe" : "cpe:/a:redhat:openstack:16.1::el8", "package" : "etcd-0:3.3.23-16.el8ost" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "release_date" : "2024-05-23T00:00:00Z", "advisory" : "RHSA-2024:3352", "cpe" : "cpe:/a:redhat:openstack:16.2::el8", "package" : "etcd-0:3.3.23-16.el8ost" }, { "product_name" : "RHODF-4.15-RHEL-9", "release_date" : "2024-03-19T00:00:00Z", "advisory" : "RHSA-2024:1383", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.15::el9", "package" : "odf4/cephcsi-rhel9:v4.15.0-37" }, { "product_name" : "RODOO-1.0-RHEL-8", "release_date" : "2023-10-26T00:00:00Z", "advisory" : "RHSA-2023:5947", "cpe" : "cpe:/a:redhat:run_once_duration_override_operator:1.0::el8", "package" : "run-once-duration-override-operator/run-once-duration-override-rhel8:v1.0-30" }, { "product_name" : "Service Interconnect 1 for RHEL 9", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1901", "cpe" : "cpe:/a:redhat:service_interconnect:1::el9", "package" : "service-interconnect/skupper-config-sync-rhel9:1.5.3-1" }, { "product_name" : "Service Interconnect 1 for RHEL 9", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1901", "cpe" : "cpe:/a:redhat:service_interconnect:1::el9", "package" : "service-interconnect/skupper-controller-podman-rhel9:1.5.3-1" }, { "product_name" : "Service Interconnect 1 for RHEL 9", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1901", "cpe" : "cpe:/a:redhat:service_interconnect:1::el9", "package" : "service-interconnect/skupper-flow-collector-rhel9:1.5.3-2" }, { "product_name" : "Service Interconnect 1 for RHEL 9", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1901", "cpe" : "cpe:/a:redhat:service_interconnect:1::el9", "package" : "service-interconnect/skupper-operator-bundle:1.5.3-3" }, { "product_name" : "Service Interconnect 1 for RHEL 9", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1901", "cpe" : "cpe:/a:redhat:service_interconnect:1::el9", "package" : "service-interconnect/skupper-router-rhel9:2.5.1-2" }, { "product_name" : "Service Interconnect 1 for RHEL 9", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1901", "cpe" : "cpe:/a:redhat:service_interconnect:1::el9", "package" : "service-interconnect/skupper-service-controller-rhel9:1.5.3-1" }, { "product_name" : "Service Interconnect 1 for RHEL 9", "release_date" : "2024-04-18T00:00:00Z", "advisory" : "RHSA-2024:1901", "cpe" : "cpe:/a:redhat:service_interconnect:1::el9", "package" : "service-interconnect/skupper-site-controller-rhel9:1.5.3-2" } ], "package_state" : [ { "product_name" : "cert-manager Operator for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "cert-manager/cert-manager-operator-rhel9", "cpe" : "cpe:/a:redhat:cert_manager:1" }, { "product_name" : "Cost Management Metrics Operator", "fix_state" : "Affected", "package_name" : "costmanagement-metrics-operator-container", "cpe" : "cpe:/a:redhat:cost_management:1" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/logging-loki-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logical Volume Manager Storage", "fix_state" : "Affected", "package_name" : "lvms4/topolvm-rhel9", "cpe" : "cpe:/a:redhat:lvms:4" }, { "product_name" : "Node Maintenance Operator", "fix_state" : "Affected", "package_name" : "workload-availability/node-maintenance-rhel8-operator", "cpe" : "cpe:/a:redhat:workload_availability_nmo:5" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Affected", "package_name" : "helm", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Affected", "package_name" : "ocp-tools-4/jenkins-rhel8", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines-client", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-1/client-kn-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Will not fix", "package_name" : "openshift-serverless-clients", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Affected", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Affected", "package_name" : "3scale-operator-container", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/subctl-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Security 3", "fix_state" : "Will not fix", "package_name" : "advanced-cluster-security/rhacs-main-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3" }, { "product_name" : "Red Hat Advanced Cluster Security 4", "fix_state" : "Affected", "package_name" : "advanced-cluster-security/rhacs-main-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4" }, { "product_name" : "Red Hat Ceph Storage 5", "fix_state" : "Affected", "package_name" : "rhceph/rhceph-5-dashboard-rhel8", "cpe" : "cpe:/a:redhat:ceph_storage:5" }, { "product_name" : "Red Hat Certification for Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "redhat-certification-cnf", "cpe" : "cpe:/a:redhat:certifications:1::el8" }, { "product_name" : "Red Hat Certification for Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "redhat-certification-preflight", "cpe" : "cpe:/a:redhat:certifications:1::el8" }, { "product_name" : "Red Hat Certification Program for Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "redhat-certification-cnf", "cpe" : "cpe:/a:redhat:certifications:9" }, { "product_name" : "Red Hat Certification Program for Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "redhat-certification-preflight", "cpe" : "cpe:/a:redhat:certifications:9" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "grafana-pcp", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "osbuild-composer", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "grafana", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "grafana-pcp", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "ignition", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "osbuild-composer", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "conmon", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "cri-o", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "cri-tools", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "ignition", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "sandboxed-containers", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform Assisted Installer 1", "fix_state" : "Under investigation", "package_name" : "rhai-tech-preview/assisted-installer-rhel8", "cpe" : "cpe:/a:redhat:assisted_installer:1" }, { "product_name" : "Red Hat OpenShift Data Science (RHODS)", "fix_state" : "Will not fix", "package_name" : "rhods/odh-mm-rest-proxy-rhel8", "cpe" : "cpe:/a:redhat:openshift_data_science" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/udi-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift distributed tracing 2", "fix_state" : "Affected", "package_name" : "rhosdt/tempo-rhel8", "cpe" : "cpe:/a:redhat:openshift_distributed_tracing:2" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-1/gitops-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Affected", "package_name" : "openshift-gitops-kam", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift on AWS", "fix_state" : "Affected", "package_name" : "rosa", "cpe" : "cpe:/a:redhat:openshift_service_on_aws:1" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Affected", "package_name" : "kubevirt", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Affected", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "fix_state" : "Affected", "package_name" : "rhosp-rhel8/osp-director-agent", "cpe" : "cpe:/a:redhat:openstack:16.2" }, { "product_name" : "Red Hat OpenStack Platform 17.1", "fix_state" : "Under investigation", "package_name" : "rhosp-rhel9/osp-director-downloader", "cpe" : "cpe:/a:redhat:openstack:17.1" }, { "product_name" : "Red Hat OpenStack Platform 18.0", "fix_state" : "Not affected", "package_name" : "rhoso-operators/rabbitmq-cluster-rhel9-operator", "cpe" : "cpe:/a:redhat:openstack:18.0" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Affected", "package_name" : "quay/clair-rhel8", "cpe" : "cpe:/a:redhat:quay:3" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "yggdrasil-worker-forwarder", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "golang", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "go-toolset-7-golang", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Self Node Remediation Operator", "fix_state" : "Affected", "package_name" : "workload-availability/self-node-remediation-rhel8-operator", "cpe" : "cpe:/a:redhat:workload_availability_snr:0" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-39319\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-39319\nhttps://go.dev/cl/526157\nhttps://go.dev/issue/62197\nhttps://groups.google.com/g/golang-dev/c/2C5vbR-UNkI/m/L1hdrPhfBAAJ\nhttps://vuln.go.dev/ID/GO-2023-2043.json" ], "name" : "CVE-2023-39319", "csaw" : false }