Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2018-16873

Опубликовано: 14 дек. 2018
Источник: nvd
CVSS3: 7.5
CVSS3: 8.1
CVSS2: 6.8
EPSS Средний

Описание

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Версия до 1.10.6 (исключая)
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Версия от 1.11.0 (включая) до 1.11.3 (исключая)
Конфигурация 2

Одно из

cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*
Конфигурация 3
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

EPSS

Процентиль: 98%
0.60608
Средний

7.5 High

CVSS3

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-20
CWE-20

Связанные уязвимости

ubuntu логотип

CVE-2018-16873

CVSS3: 8.1
ubuntu
около 7 лет назад

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious comma...

redhat логотип

CVE-2018-16873

CVSS3: 7.5
redhat
около 7 лет назад

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious comma...

debian логотип

CVE-2018-16873

CVSS3: 8.1
debian
около 7 лет назад

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is ...

github логотип

GHSA-q6pp-3q54-qw37

CVSS3: 8.1
github
больше 3 лет назад

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious comma...

fstec логотип

BDU:2020-01887

CVSS3: 8.1
fstec
около 7 лет назад

Уязвимость реализации команды «go get» языка программирования Go, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 98%
0.60608
Средний

7.5 High

CVSS3

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-20
CWE-20