CVE-2023-39319

NameCVE-2023-39319
DescriptionThe html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-1.11 (PTS)buster1.11.6-1+deb10u4vulnerable
buster (security)1.11.6-1+deb10u7vulnerable
golang-1.15 (PTS)bullseye1.15.15-1~deb11u4vulnerable
golang-1.19 (PTS)bookworm1.19.8-2vulnerable
golang-1.21 (PTS)sid, trixie1.21.9-1fixed
golang-1.7 (PTS)stretch (security), stretch (lts), stretch1.7.4-2+deb9u5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-1.11source(unstable)(unfixed)
golang-1.15source(unstable)(unfixed)
golang-1.19source(unstable)(unfixed)
golang-1.20unknown(unstable)1.20.8-1
golang-1.21source(unstable)1.21.1-1
golang-1.7source(unstable)(unfixed)

Notes

[bookworm] - golang-1.19 <no-dsa> (Minor issue)
[bullseye] - golang-1.15 <no-dsa> (Minor issue)
[buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
https://go.dev/issue/62197
https://github.com/golang/go/commit/bbd043ff0d6d59f1a9232d31ecd5eacf6507bf6a (go1.21.1)
https://github.com/golang/go/commit/2070531d2f53df88e312edace6c8dfc9686ab2f5 (go1.20.8)
https://groups.google.com/g/golang-announce/c/Fm51GRLNRvM
[stretch] - golang-1.7 <postponed> (Limited support, follow buster DLAs)
Search for package or bug name: Reporting problems