Описание
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Отчет
For Red Hat Enterprise Linux,
- Conmon uses go in unit testing, but not functionally in the package. Go is used only in test files, hence, not in the actual code, thus, conmon is not affected.
- The Go templates in Grafana do not contain any javascript. Thus, it is not affected.
- Ignition does not make use of html/template. In Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable golang html/templates to authenticated users only, therefore the impact is low.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Custom Metric Autoscaler operator for Red Hat Openshift | custom-metrics-autoscaler/custom-metrics-autoscaler-rhel8 | Affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel8 | Not affected | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-rhel8-operator | Affected | ||
| OpenShift Developer Tools and Services | helm | Affected | ||
| OpenShift Developer Tools and Services | odo | Affected | ||
| OpenShift Pipelines | openshift-pipelines-client | Affected | ||
| OpenShift Secondary Scheduler Operator | openshift-secondary-scheduler-operator/secondary-scheduler-rhel9-operator | Not affected | ||
| OpenShift Serverless | openshift-serverless-1/client-kn-rhel8 | Affected | ||
| Red Hat 3scale API Management Platform 2 | 3scale-operator-container | Affected | ||
| Red Hat AMQ Broker 7 | amq-broker-rhel8-operator-container | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Not all valid JavaScript whitespace characters are considered to be wh ...
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
ELSA-2023-3319: go-toolset:ol8 security update (IMPORTANT)
EPSS
8.1 High
CVSS3