Lucene search

RedhatCVE-2018-16873

HistoryDec 14, 2018 - 2:29 p.m.

CVE-2018-16873

2018-12-1414:29:00

CWE-20

redhat

web.nvd.nist.gov

181

go get

rce

security vulnerability

gopath

git

malicious command

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.263

Percentile

96.8%

JSON

In Go before 1.10.6 and 1.11.x before 1.11.3, the “go get” command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it’s possible to arrange things so that a Git repository is cloned to a folder named “.git” by using a vanity import path that ends with “/.git”. If the Git repository root contains a “HEAD” file, a “config” file, an “objects” directory, a “refs” directory, with some work to ensure the proper ordering of operations, “go get -u” can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the “config” file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running “go get -u”.

Affected configurations

Nvd

Vulners

Node

golanggoRange<1.10.6

golanggoRange1.11.0–1.11.3

Node

opensusebackports_sleMatch15.0-

opensuseleapMatch15.0

opensuseleapMatch15.1

opensuseleapMatch42.3

suselinux_enterprise_serverMatch12-

Node

debiandebian_linuxMatch9.0

VendorProductVersionCPE
golanggo*cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
opensusebackports_sle15.0cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*
opensuseleap15.0cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
opensuseleap15.1cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
opensuseleap42.3cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
suselinux_enterprise_server12cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
golang	go	*	cpe:2.3:a:golang:go::::::::
opensuse	backports_sle	15.0	cpe:2.3:a:opensuse:backports_sle:15.0:-::::::
opensuse	leap	15.0	cpe:2.3:o:opensuse:leap:15.0:::::::*
opensuse	leap	15.1	cpe:2.3:o:opensuse:leap:15.1:::::::*
opensuse	leap	42.3	cpe:2.3:o:opensuse:leap:42.3:::::::*
suse	linux_enterprise_server	12	cpe:2.3:o:suse:linux_enterprise_server:12:-::::::
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*

CNA Affected

[
  {
    "product": "golang",
    "vendor": "[UNKNOWN]",
    "versions": [
      {
        "status": "affected",
        "version": "1.10.6"
      },
      {
        "status": "affected",
        "version": "1.11.3"
      }
    ]
  }
]