CVE-2023-24538
CVE Details
Visit the official vulnerability details page for CVE-2023-24538 to learn more.
Initial Publication
10/25/2024
Last Update
12/16/2024
Third Party Dependency
go
NIST CVE Summary
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.
CVE Severity
Our Official Summary
This vulnerability is reported on several of the 3rd party cni images used by our products such as calico and multus-cni. The out-of-bounds write vulnerability in the Bzip2 libraries can be exploited by a malicious bzip2 payload, potentially resulting in a denial of service or remote code execution. Network services or command line utilities that decompress untrusted bzip2 payloads are at risk. The risk scenario is low for the following reasons: These images are optional and will be installed depending on the configuration of the deployments; there are no known reports of exploitation from the 3rd party vendors; and these images are not accessible directly for an attacker to send crafted input. We will upgrade the images when the fixes become available from the vendors.
Status
Ongoing
Affected Products & Versions
This CVE is non-impacting as the impacting symbol and/or function is not used in the product
Revision History
| Date | Revision |
|---|---|
| 12/16/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15 |
| 12/09/2024 | Official summary revised: This vulnerability is reported on several of the 3rd party cni images used by our products such as calico andmultus-cni. The out-of-bounds write vulnerability in the Bzip2 libraries can be exploited by a malicious bzip2 payload,potentially resulting in a denial of service or remote code execution. Network services or command line utilities thatdecompress untrusted bzip2 payloads are at risk. The risk scenario is low for the following reasons: These images areoptional and will be installed depending on the configuration of the deployments; there are no known reports ofexploitation from the 3rd party vendors; and these images are not accessible directly for an attacker to send craftedinput. We will upgrade the images when the fixes become available from the vendors. |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 |
| 11/15/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 |
| 11/13/2024 | Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20 |
| 11/10/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8 |
| 10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |