You are here

Home › Miscellaneous Golang Vulnerabilities

Miscellaneous Golang Vulnerabilities

Submitted on 20. September 2023 - 10:22 by jomeier.
Last update on 20. September 2023 - 17:38.
IDs: 
CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322
Keywords: 
go
Description: 

This article describes the impact of some recently disclosed golang vulnerabilities related Airlock Gateway and Microgateway.

Airlock Gateway does not use Golang at all, so it is not affected.

Details CVE-2023-39318, CVE-2023-39318:

The html/template package did not properly handle HMTL-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts.

The html/template package did not apply the proper rules for handling ocurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts.

Airlock Microgateway does not use the html/template package and is therefore not affected.

Details CVE-2023-39320:

The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module.

The go.mod toolchain directive is only used in the build process of the statsdexporter, which is trusted. Therefore Airlock Microgateway is not affected.

Details CVE-2023-39321, CVE-2023-39322:

Vulnerabilities related to the use of the QUIC protocol.

The QUIC protocol is not supported by the Golang components of Airlock Microgateway. Therefore, Airlock Microgateway is not affected.

Resolution: 

No action required.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock
Reference: 
[1] Milestone Go 1.21.1
[2] CVE-2023-39321
[2] CVE-2023-39322
© Ergon Informatik AG