Описание
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
An arbitrary command execution flaw was found in the way Go's "go get" command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side.
Отчет
This issue affects the versions of golang as shipped with Red Hat OpenShift Enterprise 3. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 2 | golang | Not affected | ||
| Red Hat Ceph Storage 3 | golang | Not affected | ||
| Red Hat OpenShift Enterprise 3 | golang | Will not fix | ||
| Red Hat OpenStack Platform 8 (Liberty) Operational Tools | golang | Will not fix | ||
| Red Hat OpenStack Platform 9 (Mitaka) Operational Tools | golang | Will not fix | ||
| Red Hat Storage 3 | golang | Not affected | ||
| Red Hat Developer Tools | go-toolset-7 | Fixed | RHSA-2018:1304 | 03.05.2018 |
| Red Hat Developer Tools | go-toolset-7-golang | Fixed | RHSA-2018:1304 | 03.05.2018 |
| Red Hat Enterprise Linux 7 | golang | Fixed | RHSA-2018:0878 | 10.04.2018 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.8 Medium
CVSS3
Связанные уязвимости
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases befor ...
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
Уязвимость реализации команды «go get» программного пакета Go, позволяющая нарушителю удаленно выполнить команду «go get»
EPSS
5.8 Medium
CVSS3