Описание
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 2 | golang | Not affected | ||
| Red Hat Ceph Storage 3 | golang | Not affected | ||
| Red Hat Enterprise Linux 7 | golang | Will not fix | ||
| Red Hat Enterprise Linux 8 | golang | Not affected | ||
| Red Hat OpenShift Enterprise 3 | golang | Affected | ||
| Red Hat OpenStack Platform 8 (Liberty) Operational Tools | golang | Will not fix | ||
| Red Hat OpenStack Platform 9 (Mitaka) Operational Tools | golang | Will not fix | ||
| Red Hat Storage 3 | golang | Not affected |
Показывать по
Дополнительная информация
Статус:
7.1 High
CVSS3
Связанные уязвимости
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
The "go get" implementation in Go 1.9.4, when the -insecure command-li ...
7.1 High
CVSS3