CVE-2018-16874 Information
Description
In Go before 1.10.6 and 1.11.x before 1.11.3 the \go get\ command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both ’’ and ’’ characters). Specifically it is only vulnerable in GOPATH mode but not in module mode (the distinction is documented at https://golang.org/cmd/go/hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write which can lead to code execution.
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Reference
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html
http://www.securityfocus.com/bid/106228
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16874
https://groups.google.com/forum/?pli=1!topic/golang-announce/Kw31K8G7Fi0
https://security.gentoo.org/glsa/201812-09
In
Go
before
1.10.6
and
1.11.x
before
1.11.3
the
\go
get
command
is
vulnerable
to
directory
traversal
when
executed
with
the
import
path
of
a
malicious
Go
package
which
contains
curly
braces
(both
’'
and
’'
characters).
Specifically
it
is
only
vulnerable
in
GOPATH
mode
but
not
in
module
mode
(the
distinction
is
documented
at
https://golang.org/cmd/go/hdr-Module_aware_go_get)..)
The
attacker
can
cause
an
arbitrary
filesystem
write
which
can
lead
to
code
execution.
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
8.1
Share on: