CVE-2023-24538: 
Docker vulnerability analysis and mitigation

CVE-2023-24538 is a security vulnerability discovered in Go's html/template package that affects versions prior to 1.19.8 and versions from 1.20.0 up to (excluding) 1.20.3. The vulnerability was discovered by Sohom Datta from Manipal Institute of Technology and was publicly disclosed on April 4, 2023 (Golang Announce).

The vulnerability stems from the html/template package not properly considering backticks (`) as Javascript string delimiters and not escaping them as expected. In ES6, backticks are used for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, potentially allowing injection of arbitrary Javascript code into the Go template (Go Issue, Go Vuln).

The vulnerability has been rated as Critical with a CVSS v3.1 base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory).

The issue has been fixed in Go versions 1.19.8 and 1.20.3. The fix disallows Go template actions from being used inside template literals, as there is no obviously safe way to allow this behavior. Template.Parse now returns an Error with ErrorCode 12 when encountering such templates. Users who need to maintain the previous behavior can use the GODEBUG flag jstmpllitinterp=1, though this should be used with caution as backticks will be escaped (Golang Announce).