{"api_version":"1","generated_at":"2026-04-23T01:00:07+00:00","cve":"CVE-2023-24540","urls":{"html":"https://cve.report/CVE-2023-24540","api":"https://cve.report/api/cve/CVE-2023-24540.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-24540","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-24540"},"summary":{"title":"CVE-2023-24540","description":"Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set \"\\t\\n\\f\\r\\u0020\\u2028\\u2029\" in JavaScript contexts that also contain actions may not be properly sanitized during execution.","state":"PUBLIC","assigner":"security@golang.org","published_at":"2023-05-11 16:15:00","updated_at":"2023-11-07 04:08:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://pkg.go.dev/vuln/GO-2023-1752","name":"https://pkg.go.dev/vuln/GO-2023-1752","refsource":"MISC","tags":[],"title":"GO-2023-1752 - Go Packages","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/issue/59721","name":"https://go.dev/issue/59721","refsource":"MISC","tags":[],"title":"html/template: improper handling of JavaScript whitespace · Issue #59721 · golang/go · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://go.dev/cl/491616","name":"https://go.dev/cl/491616","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU","name":"https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU","refsource":"MISC","tags":[],"title":"[security] Go 1.20.4 and Go 1.19.9 are released","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-24540","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24540","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"24540","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-24540","qid":"160702","title":"Oracle Enterprise Linux Security Update for go-toolset and golang (ELSA-2023-3318)"},{"cve":"CVE-2023-24540","qid":"160703","title":"Oracle Enterprise Linux Security Update for go-toolset:ol8 (ELSA-2023-3319)"},{"cve":"CVE-2023-24540","qid":"161061","title":"Oracle Enterprise Linux Security Update for skopeo (ELSA-2023-6363)"},{"cve":"CVE-2023-24540","qid":"161062","title":"Oracle Enterprise Linux Security Update for containernetworking-plugins (ELSA-2023-6402)"},{"cve":"CVE-2023-24540","qid":"161063","title":"Oracle Enterprise Linux Security Update for podman (ELSA-2023-6474)"},{"cve":"CVE-2023-24540","qid":"161105","title":"Oracle Enterprise Linux Security Update for buildah (ELSA-2023-6473)"},{"cve":"CVE-2023-24540","qid":"161175","title":"Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2023-6939)"},{"cve":"CVE-2023-24540","qid":"161187","title":"Oracle Enterprise Linux Security Update for container-tools:4.0 (ELSA-2023-6938)"},{"cve":"CVE-2023-24540","qid":"199396","title":"Ubuntu Security Notification for Go Vulnerabilities (USN-6140-1)"},{"cve":"CVE-2023-24540","qid":"241559","title":"Red Hat Update for go-toolset and golang (RHSA-2023:3318)"},{"cve":"CVE-2023-24540","qid":"241560","title":"Red Hat Update for go-toolset:rhel8 (RHSA-2023:3319)"},{"cve":"CVE-2023-24540","qid":"241582","title":"Red Hat Update for OpenStack Platform 16.2 (RHSA-2023:3445)"},{"cve":"CVE-2023-24540","qid":"241623","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:3366)"},{"cve":"CVE-2023-24540","qid":"241687","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:3409)"},{"cve":"CVE-2023-24540","qid":"241700","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:3545)"},{"cve":"CVE-2023-24540","qid":"241745","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:3612)"},{"cve":"CVE-2023-24540","qid":"241775","title":"Red Hat Update for red hat openshift enterprise (RHSA-2023:3910)"},{"cve":"CVE-2023-24540","qid":"241776","title":"Red Hat Update for red hat openshift enterprise (RHSA-2023:3914)"},{"cve":"CVE-2023-24540","qid":"242287","title":"Red Hat Update for buildah (RHSA-2023:6473)"},{"cve":"CVE-2023-24540","qid":"242288","title":"Red Hat Update for toolbox (RHSA-2023:6346)"},{"cve":"CVE-2023-24540","qid":"242299","title":"Red Hat Update for containernetworking-plugins (RHSA-2023:6402)"},{"cve":"CVE-2023-24540","qid":"242319","title":"Red Hat Update for skopeo (RHSA-2023:6363)"},{"cve":"CVE-2023-24540","qid":"242335","title":"Red Hat Update for podman security (RHSA-2023:6474)"},{"cve":"CVE-2023-24540","qid":"242415","title":"Red Hat Update for container-tools:rhel8 (RHSA-2023:6939)"},{"cve":"CVE-2023-24540","qid":"242458","title":"Red Hat Update for container-tools:4.0 (RHSA-2023:6938)"},{"cve":"CVE-2023-24540","qid":"296101","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 59.138.2 Missing (CPUJUL2023)"},{"cve":"CVE-2023-24540","qid":"355425","title":"Amazon Linux Security Advisory for golang : ALAS-2023-1760"},{"cve":"CVE-2023-24540","qid":"355442","title":"Amazon Linux Security Advisory for golang : ALAS2023-2023-209"},{"cve":"CVE-2023-24540","qid":"355697","title":"Amazon Linux Security Advisory for golang : ALAS2-2023-2163"},{"cve":"CVE-2023-24540","qid":"355797","title":"Amazon Linux Security Advisory for containerd : ALAS2NITRO-ENCLAVES-2023-026"},{"cve":"CVE-2023-24540","qid":"355837","title":"Amazon Linux Security Advisory for containerd : ALAS2DOCKER-2023-029"},{"cve":"CVE-2023-24540","qid":"356180","title":"Amazon Linux Security Advisory for golang : ALASGOLANG1.19-2023-001"},{"cve":"CVE-2023-24540","qid":"356428","title":"Amazon Linux Security Advisory for amazon-ssm-agent : ALAS2-2023-2303"},{"cve":"CVE-2023-24540","qid":"356458","title":"Amazon Linux Security Advisory for amazon-ssm-agent : ALAS-2023-1866"},{"cve":"CVE-2023-24540","qid":"356503","title":"Amazon Linux Security Advisory for golang : ALAS2GOLANG1.19-2023-001"},{"cve":"CVE-2023-24540","qid":"356574","title":"Amazon Linux Security Advisory for docker : ALAS2ECS-2023-019"},{"cve":"CVE-2023-24540","qid":"356580","title":"Amazon Linux Security Advisory for docker : ALAS2DOCKER-2023-031"},{"cve":"CVE-2023-24540","qid":"356591","title":"Amazon Linux Security Advisory for docker : ALAS2NITRO-ENCLAVES-2023-030"},{"cve":"CVE-2023-24540","qid":"378593","title":"Alibaba Cloud Linux Security Update for go-toolset:rhel8 (ALINUX3-SA-2023:0049)"},{"cve":"CVE-2023-24540","qid":"378883","title":"Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)"},{"cve":"CVE-2023-24540","qid":"379641","title":"Alibaba Cloud Linux Security Update for container-tools:rhel8 (ALINUX3-SA-2024:0050)"},{"cve":"CVE-2023-24540","qid":"502993","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-24540","qid":"503189","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-24540","qid":"506082","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2023-24540","qid":"673210","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2382)"},{"cve":"CVE-2023-24540","qid":"673238","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2356)"},{"cve":"CVE-2023-24540","qid":"673313","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2613)"},{"cve":"CVE-2023-24540","qid":"673314","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2583)"},{"cve":"CVE-2023-24540","qid":"673548","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2644)"},{"cve":"CVE-2023-24540","qid":"673694","title":"EulerOS Security Update for golang (EulerOS-SA-2023-2686)"},{"cve":"CVE-2023-24540","qid":"691224","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for go (78f2e491-312d-11ee-85f2-bd89b893fcb4)"},{"cve":"CVE-2023-24540","qid":"753976","title":"SUSE Enterprise Linux Security Update for go1.19 (SUSE-SU-2023:2127-1)"},{"cve":"CVE-2023-24540","qid":"753977","title":"SUSE Enterprise Linux Security Update for go1.20 (SUSE-SU-2023:2105-2)"},{"cve":"CVE-2023-24540","qid":"770189","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:3366)"},{"cve":"CVE-2023-24540","qid":"770191","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:3409)"},{"cve":"CVE-2023-24540","qid":"770193","title":"Red Hat OpenShift Container Platform 4.12 Security Update (RHSA-2023:3545)"},{"cve":"CVE-2023-24540","qid":"770195","title":"Red Hat OpenShift Container Platform 4.13 Security Update (RHSA-2023:3612)"},{"cve":"CVE-2023-24540","qid":"770203","title":"Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2023:3910)"},{"cve":"CVE-2023-24540","qid":"770204","title":"Red Hat OpenShift Container Platform 4.11 Security Update (RHSA-2023:3914)"},{"cve":"CVE-2023-24540","qid":"907917","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for msft-golang (26626-1)"},{"cve":"CVE-2023-24540","qid":"908076","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (37428-1)"},{"cve":"CVE-2023-24540","qid":"941126","title":"AlmaLinux Security Update for go-toolset and golang (ALSA-2023:3318)"},{"cve":"CVE-2023-24540","qid":"941127","title":"AlmaLinux Security Update for go-toolset:rhel8 (ALSA-2023:3319)"},{"cve":"CVE-2023-24540","qid":"941383","title":"AlmaLinux Security Update for containernetworking-plugins (ALSA-2023:6402)"},{"cve":"CVE-2023-24540","qid":"941386","title":"AlmaLinux Security Update for buildah (ALSA-2023:6473)"},{"cve":"CVE-2023-24540","qid":"941391","title":"AlmaLinux Security Update for toolbox (ALSA-2023:6346)"},{"cve":"CVE-2023-24540","qid":"941399","title":"AlmaLinux Security Update for podman (ALSA-2023:6474)"},{"cve":"CVE-2023-24540","qid":"941405","title":"AlmaLinux Security Update for skopeo (ALSA-2023:6363)"},{"cve":"CVE-2023-24540","qid":"941444","title":"AlmaLinux Security Update for container-tools:4.0 (ALSA-2023:6938)"},{"cve":"CVE-2023-24540","qid":"941481","title":"AlmaLinux Security Update for container-tools:rhel8 (ALSA-2023:6939)"},{"cve":"CVE-2023-24540","qid":"960938","title":"Rocky Linux Security Update for go-toolset:Rocky (RLSA-2023:3319)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-24540","ASSIGNER":"security@golang.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set \"\\t\\n\\f\\r\\u0020\\u2028\\u2029\" in JavaScript contexts that also contain actions may not be properly sanitized during execution."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-74: Improper input validation"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Go standard library","product":{"product_data":[{"product_name":"html/template","version":{"version_data":[{"version_affected":"<","version_name":"0","version_value":"1.19.9"},{"version_affected":"<","version_name":"1.20.0-0","version_value":"1.20.4"}]}}]}}]}},"references":{"reference_data":[{"url":"https://go.dev/issue/59721","refsource":"MISC","name":"https://go.dev/issue/59721"},{"url":"https://go.dev/cl/491616","refsource":"MISC","name":"https://go.dev/cl/491616"},{"url":"https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU","refsource":"MISC","name":"https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU"},{"url":"https://pkg.go.dev/vuln/GO-2023-1752","refsource":"MISC","name":"https://pkg.go.dev/vuln/GO-2023-1752"}]},"credits":[{"lang":"en","value":"Juho Nurminen of Mattermost"}]},"nvd":{"publishedDate":"2023-05-11 16:15:00","lastModifiedDate":"2023-11-07 04:08:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionStartIncluding":"1.20.0","versionEndExcluding":"1.20.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionEndExcluding":"1.19.9","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}