CVE-2023-29400
11.05.2023, 16:15
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| golang | go | 𝑥 < 1.19.9 |
| golang | go | 1.20.0 ≤ 𝑥 < 1.20.4 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Red Hat Enterprise Linux Releases
Red Hat Product | |||
|---|---|---|---|
| buildah |
| ||
| buildah-tests |
| ||
| containernetworking-plugins |
| ||
| golang |
| ||
| golang-bin |
| ||
| golang-docs |
| ||
| golang-misc |
| ||
| golang-race |
| ||
| golang-src |
| ||
| golang-tests |
| ||
| podman |
| ||
| podman-docker |
| ||
| podman-gvproxy |
| ||
| podman-plugins |
| ||
| podman-remote |
| ||
| podman-tests |
| ||
| skopeo |
| ||
| skopeo-tests |
| ||
| toolbox |
| ||
| toolbox-tests |
|
Common Weakness Enumeration
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
- CWE-94 - Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
References