The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Go | Golang | * | 1.15 (including) |
Golang | Ubuntu | trusty | * |
Golang-1.10 | Ubuntu | bionic | * |
Golang-1.10 | Ubuntu | trusty | * |
Golang-1.10 | Ubuntu | xenial | * |
Golang-1.13 | Ubuntu | bionic | * |
Golang-1.13 | Ubuntu | groovy | * |
Golang-1.13 | Ubuntu | hirsute | * |
Golang-1.13 | Ubuntu | impish | * |
Golang-1.13 | Ubuntu | kinetic | * |
Golang-1.13 | Ubuntu | xenial | * |
Golang-1.14 | Ubuntu | groovy | * |
Golang-1.14 | Ubuntu | hirsute | * |
Golang-1.15 | Ubuntu | groovy | * |
Golang-1.15 | Ubuntu | hirsute | * |
Golang-1.15 | Ubuntu | impish | * |
Golang-1.6 | Ubuntu | trusty | * |
Golang-1.6 | Ubuntu | xenial | * |
Golang-1.8 | Ubuntu | bionic | * |
Golang-1.9 | Ubuntu | bionic | * |