The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Go | Golang | * | 1.15 (including) |
| Golang | Ubuntu | trusty | * |
| Golang-1.10 | Ubuntu | bionic | * |
| Golang-1.10 | Ubuntu | trusty | * |
| Golang-1.10 | Ubuntu | trusty/esm | * |
| Golang-1.10 | Ubuntu | xenial | * |
| Golang-1.13 | Ubuntu | bionic | * |
| Golang-1.13 | Ubuntu | groovy | * |
| Golang-1.13 | Ubuntu | hirsute | * |
| Golang-1.13 | Ubuntu | impish | * |
| Golang-1.13 | Ubuntu | kinetic | * |
| Golang-1.13 | Ubuntu | xenial | * |
| Golang-1.14 | Ubuntu | groovy | * |
| Golang-1.14 | Ubuntu | hirsute | * |
| Golang-1.15 | Ubuntu | groovy | * |
| Golang-1.15 | Ubuntu | hirsute | * |
| Golang-1.15 | Ubuntu | impish | * |
| Golang-1.6 | Ubuntu | trusty | * |
| Golang-1.6 | Ubuntu | xenial | * |
| Golang-1.8 | Ubuntu | bionic | * |
| Golang-1.9 | Ubuntu | bionic | * |