CVE-2020-29509

CRITICAL9.8

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications

Published Dec 14, 2020

Modified 1 years ago

Details

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

References

WEB

https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md

WEB

https://security.netapp.com/advisory/ntap-20210129-0006/

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2020-29509

CVSS Analysis

CVSS v3.1

9.8

Exploitability

Attack Vector