CVE-2023-24540
CVE Details
Last Update
10/29/2024
NIST CVE Summary
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Our Official Summary
This is a vulnerability affecting the Golang Go software, specifically the html/template package. This issue arises from improper handling of JavaScript whitespace characters in certain contexts, leading to potential security risks. Systems using Golang Go versions up to 1.19.9 and from 1.20.0 to 1.20.4 are affected, particularly those using the html/template package with JavaScript contexts containing actions and specific whitespace characters. The images in which vulnerabilities are reported are not directly exposed. This restricts access to the vulnerable golang html/templates to authenticated users only, reducing the impact. We are waiting on an upstream fix from the 3rd party vendors. We will upgrade the images once the upstream fix becomes available.
CVE Severity
Status
Ongoing
Affected Products & Versions
- Palette Enterprise airgap 4.4.18
Revision History
- 1.0 09/15/2024 Initial Publication
- 2.0 09/15/2024 Added Palette Enterprise airgap 4.4.18 to Affected Products
- 3.0 10/10/2024 CVE remediated in Palette Enterprise airgap 4.5.3