Description

Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g., "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template. Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.

Severity

 

CVSS Version 3.x CVSS Version 2.0

CVSS 3.x Severity and Metrics:

CNA:  Zabbix

Base Score:  9.8 CRITICAL

Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: The NVD and the CNA have provided the same score. When this occurs only the CNA information is displayed, but the Acceptance Level icon for the CNA is given a checkmark to signify NVD concurrence.

CVSS 2.0 Severity and Metrics:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: NVD Analysts have not published a CVSS score for this CVE at this time. NVD Analysts use publicly available information at the time of analysis to associate CVSS vector strings.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://support.zabbix.com/browse/ZBX-23388	Vendor Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-94	Improper Control of Generation of Code ('Code Injection')	NIST   Zabbix

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

1 change records found show changes

Initial Analysis by NIST 10/24/2023 10:50:55 AM

Action	Type	Old Value	New Value
Added	CPE Configuration		OR *cpe:2.3:a:zabbix:zabbix-agent2:*:*:*:*:*:*:*:* versions from (including) 5.0.0 up to (excluding) 5.0.35 *cpe:2.3:a:zabbix:zabbix-agent2:*:*:*:*:*:*:*:* versions from (including) 6.0.0 up to (excluding) 6.0.18 *cpe:2.3:a:zabbix:zabbix-agent2:*:*:*:*:*:*:*:* versions from (including) 6.4.0 up to (excluding) 6.4.3
Added	CVSS V3.1		NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Added	CWE		NIST CWE-94
Changed	Reference Type	https://support.zabbix.com/browse/ZBX-23388 No Types Assigned	https://support.zabbix.com/browse/ZBX-23388 Vendor Advisory