CVE-2020-29509

Summary

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

Affected Software

VendorProductVersion RangeStatus
GolangGoAll versionsaffected

Weaknesses

  • CWE-115: CWE-115 Misinterpretation of Input

Workarounds

Untrusted markup in affected applications can be validated using the github.com/mattermost/xml-roundtrip-validator module.

ADP Enrichment

CVE Program Container

Additional References

References