CVE-2024-55601
Publication date 9 December 2024
Last updated 11 December 2024
Ubuntu priority
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| hugo | 24.10 oracular |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-55601
- https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx
- https://github.com/gohugoio/hugo/commit/54398f8d572c689f9785d59e907fd910a23401b0
- https://github.com/gohugoio/hugo/releases/tag/v0.139.4
- https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault