CVE-2020-29510

Summary

The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

Affected Software

VendorProductVersion RangeStatus
GolangGounspecified <= 1.15affected

Weaknesses

  • CWE-115: CWE-115 Misinterpretation of Input

Workarounds

Untrusted markup in affected applications can be validated using the github.com/mattermost/xml-roundtrip-validator module.

ADP Enrichment

CVE Program Container

Additional References

References