CVE-2023-29400
Public on 2023-05-05
Modified on 2024-04-29
Description
html/template: improper handling of empty HTML attributes.
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Docker Extra | containerd | 2023-08-17 | ALAS2DOCKER-2023-029 | Fixed |
| Amazon Linux 2 - Aws-nitro-enclaves-cli Extra | containerd | 2023-08-03 | ALAS2NITRO-ENCLAVES-2023-026 | Fixed |
| Amazon Linux 1 | golang | 2023-06-05 | ALAS-2023-1760 | Fixed |
| Amazon Linux 1 | golang | 2023-09-27 | ALAS-2023-1848 | Fixed |
| Amazon Linux 2 - Core | golang | 2023-07-20 | ALAS2-2023-2163 | Fixed |
| Amazon Linux 2 - Golang1.19 Extra | golang | 2023-08-07 | ALAS2GOLANG1.19-2023-001 | Fixed |
| Amazon Linux 2023 | golang | 2023-06-07 | ALAS2023-2023-209 | Fixed |
| Amazon Linux 2023 | golang | 2023-07-19 | ALAS2023-2023-269 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| NVD | CVSSv3 | 7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |