CVE-2020-29510
Published: 14 December 2020
The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
Notes
Author | Note |
---|---|
mdeslaur | Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. as of 2021-08-10, there likely won't be a fix for this issue by the upstream go developers |
Priority
Status
Package | Release | Status |
---|---|---|
golang-1.10 Launchpad, Ubuntu, Debian |
trusty |
Deferred
|
xenial |
Deferred
|
|
impish |
Does not exist
|
|
bionic |
Deferred
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
upstream |
Needs triage
|
|
mantic |
Does not exist
|
|
golang Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
bionic |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
mantic |
Does not exist
|
|
golang-1.14 Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
hirsute |
Ignored
(end of life)
|
|
bionic |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
groovy |
Ignored
(end of life)
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
focal |
Deferred
|
|
mantic |
Does not exist
|
|
golang-1.6 Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
bionic |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
|
|
mantic |
Does not exist
|
|
golang-1.8 Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
bionic |
Deferred
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
mantic |
Does not exist
|
|
golang-1.9 Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
bionic |
Deferred
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
mantic |
Does not exist
|
|
golang-1.13 Launchpad, Ubuntu, Debian |
hirsute |
Ignored
(end of life)
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Deferred
(2021-02-04)
|
|
groovy |
Ignored
(end of life)
|
|
kinetic |
Ignored
(end of life, was deferred)
|
|
jammy |
Deferred
|
|
lunar |
Does not exist
|
|
bionic |
Deferred
|
|
focal |
Deferred
|
|
impish |
Ignored
(end of life)
|
|
mantic |
Does not exist
|
|
golang-1.15 Launchpad, Ubuntu, Debian |
hirsute |
Ignored
(end of life)
|
bionic |
Does not exist
|
|
focal |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
groovy |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.6 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | Low |
Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |