Fluid Attacks Database

Description

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	stdlib	>=0 <1.21.8	1.21.8
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 12	golang-1.19	=1.19.10-1 \|\| =1.19.10-2 \|\| =1.19.11-1 \|\| =1.19.12-1 \|\| =1.19.12-2 \|\| =1.19.12-2~bpo11+1 \|\| =1.19.12-2~bpo12+1 \|\| =1.19.13-1 \|\| =1.19.13-1~bpo11+1 \|\| =1.19.13-1~bpo12+1 \|\| =1.19.8-2 \|\| =1.19.9-1	-
rpm rhel9	osbuild-composer	-	-
rpm rhel7	rhc-worker-script	-	-
rpm rhel8	grafana	-	-
rpm rhel9	grafana	-	-
rpm rhel8	go-toolset	<0:1.21.9-1.module+el8.10.0+21671+b35c3b78	0:1.21.9-1.module+el8.10.0+21671+b35c3b78
rpm rhel9	ignition	-	-
rpm rhel9	toolbox	<0:0.0.99.5-5.el9	0:0.0.99.5-5.el9

1-10 of 13

Aliases

1. CVE-2024-247852. NVD-2024-247853. OSV-GO-2024-26104. OSV-2024-247855. OSV-DEBIAN-2024-247856. GCVE-2024-247857. SECURITY-TRACKER-CVE-2024-24785

References

1. https://go.dev/issue/656972. https://go.dev/cl/5641963. https://groups.google.com/g/golang-announce/c/5pwGVUPoMbg