CVE-2023-29400
Public on 2023-05-05
Modified on 2024-04-29
Description
html/template: improper handling of empty HTML attributes.
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input could result in output that would have unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| HAQM Linux 2 - Docker Extra | containerd | 2023-08-17 | ALAS2DOCKER-2023-029 | Fixed |
| HAQM Linux 2 - Aws-nitro-enclaves-cli Extra | containerd | 2023-08-03 | ALAS2NITRO-ENCLAVES-2023-026 | Fixed |
| HAQM Linux 1 | golang | 2023-06-05 | ALAS-2023-1760 | Fixed |
| HAQM Linux 1 | golang | 2023-09-27 | ALAS-2023-1848 | Fixed |
| HAQM Linux 2 - Core | golang | 2023-07-20 | ALAS2-2023-2163 | Fixed |
| HAQM Linux 2 - Golang1.19 Extra | golang | 2023-08-07 | ALAS2GOLANG1.19-2023-001 | Fixed |
| HAQM Linux 2023 | golang | 2023-06-07 | ALAS2023-2023-209 | Fixed |
| HAQM Linux 2023 | golang | 2023-07-19 | ALAS2023-2023-269 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| HAQM Linux | CVSSv3 | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| NVD | CVSSv3 | 7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |