CVE-2020-29511 - The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element n

CVE-2020-29511

Summary

The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.

References

https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md
https://security.netapp.com/advisory/ntap-20210129-0006/

Vulnerable Configurations

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
cpe:2.3:a:netapp:trident:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:trident:-:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 30-01-2021 - 01:22)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

misc

https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md

Last major update

30-01-2021 - 01:22

Published

14-12-2020 - 20:15

Last modified

30-01-2021 - 01:22