{"id":"UBUNTU-CVE-2023-24540","details":"Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set \"\\t\\n\\f\\r\\u0020\\u2028\\u2029\" in JavaScript contexts that also contain actions may not be properly sanitized during execution.","modified":"2026-01-30T01:18:30.377748Z","published":"2023-05-11T16:15:00Z","withdrawn":"2025-07-18T16:54:21Z","related":["USN-6140-1"],"upstream":["CVE-2023-24540"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-24540"},{"type":"REPORT","url":"https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU"},{"type":"REPORT","url":"https://github.com/golang/go/issues/59721"},{"type":"REPORT","url":"https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797"},{"type":"REPORT","url":"https://github.com/golang/go/commit/4a28cad66655ee01c6e944271e23c33cab021765"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-6140-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2023-24540"}],"affected":[{"package":{"name":"golang-1.20","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~20.04?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.20.3-1ubuntu0.1~20.04"}]}],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1.20.3-1ubuntu0.1~20.04","binary_name":"golang-1.20"},{"binary_version":"1.20.3-1ubuntu0.1~20.04","binary_name":"golang-1.20-doc"},{"binary_version":"1.20.3-1ubuntu0.1~20.04","binary_name":"golang-1.20-go"},{"binary_version":"1.20.3-1ubuntu0.1~20.04","binary_name":"golang-1.20-go-dbgsym"},{"binary_version":"1.20.3-1ubuntu0.1~20.04","binary_name":"golang-1.20-src"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-24540.json"}},{"package":{"name":"golang-1.20","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/golang-1.20@1.20.3-1ubuntu0.1~22.04?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.20.3-1ubuntu0.1~22.04"}]}],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1.20.3-1ubuntu0.1~22.04","binary_name":"golang-1.20"},{"binary_version":"1.20.3-1ubuntu0.1~22.04","binary_name":"golang-1.20-doc"},{"binary_version":"1.20.3-1ubuntu0.1~22.04","binary_name":"golang-1.20-go"},{"binary_version":"1.20.3-1ubuntu0.1~22.04","binary_name":"golang-1.20-go-dbgsym"},{"binary_version":"1.20.3-1ubuntu0.1~22.04","binary_name":"golang-1.20-src"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-24540.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}