Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2017-15041

Опубликовано: 05 окт. 2017
Источник: nvd
CVSS3: 9.8
CVSS2: 7.5
EPSS Низкий

Описание

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Версия до 1.8.3 (включая)
cpe:2.3:a:golang:go:1.9:-:*:*:*:*:*:*
Конфигурация 2
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Конфигурация 3

Одно из

cpe:2.3:a:redhat:developer_tools:1.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_tus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_tus:7.7:*:*:*:*:*:*:*

EPSS

Процентиль: 91%
0.0717
Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

ubuntu логотип

CVE-2017-15041

CVSS3: 9.8
ubuntu
больше 8 лет назад

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."

redhat логотип

CVE-2017-15041

CVSS3: 7.5
redhat
больше 8 лет назад

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."

debian логотип

CVE-2017-15041

CVSS3: 9.8
debian
больше 8 лет назад

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command ...

github логотип

GHSA-2w49-qg9p-7jxx

CVSS3: 9.8
github
больше 3 лет назад

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."

EPSS

Процентиль: 91%
0.0717
Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

NVD-CWE-noinfo