CVE-2018-7187 - OpenCVE

The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Golang	Go
Debian	Debian Linux

Configuration 1 [-]

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go::::::::

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:7.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

References

Link	Resource
https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc	Third Party Advisory
https://github.com/golang/go/issues/23867	Exploit Issue Tracking Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/02/msg00029.html	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/201804-12	Third Party Advisory
https://www.debian.org/security/2019/dsa-4379	Third Party Advisory
https://www.debian.org/security/2019/dsa-4380	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-02-16T17:00:00

Updated: 2019-02-02T10:57:01

Reserved: 2018-02-16T00:00:00

Link: CVE-2018-7187

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-02-16T17:29:00.403

Modified: 2022-08-16T13:01:06.020

Link: CVE-2018-7187

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-02-16T00:00:00", "descriptions": [{"lang": "en", "value": "The \"go get\" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for \"://\" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-02-02T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "[debian-lts-announce] 20180225 [SECURITY] [DLA 1294-1] golang security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00029.html"}, {"name": "DSA-4380", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4380"}, {"name": "GLSA-201804-12", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201804-12"}, {"name": "DSA-4379", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4379"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/golang/go/issues/23867"}, {"tags": ["x_refsource_MISC"], "url": "https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-7187", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The \"go get\" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for \"://\" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[debian-lts-announce] 20180225 [SECURITY] [DLA 1294-1] golang security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00029.html"}, {"name": "DSA-4380", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4380"}, {"name": "GLSA-201804-12", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201804-12"}, {"name": "DSA-4379", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4379"}, {"name": "https://github.com/golang/go/issues/23867", "refsource": "CONFIRM", "url": "https://github.com/golang/go/issues/23867"}, {"name": "https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc", "refsource": "MISC", "url": "https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-7187", "datePublished": "2018-02-16T17:00:00", "dateReserved": "2018-02-16T00:00:00", "dateUpdated": "2019-02-02T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB93BF8E-67F7-49AB-9288-E2FE0A8389DE", "versionEndExcluding": "1.9.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "020956E5-047C-4A7E-AD57-3100B7F7484C", "versionEndExcluding": "1.10.1", "versionStartIncluding": "1.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The \"go get\" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for \"://\" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site."}, {"lang": "es", "value": "La implementaci\u00f3n \"go get\" en Go 1.9.4, cuando se emplea la opci\u00f3n -insecure command-line, no valida la ruta de importaci\u00f3n (get/vcs.go solo busca \"://\" en cualquier lugar de la cadena), lo que permite que atacantes remotos ejecuten comandos arbitrarios del sistema operativo mediante un sitio web manipulado."}], "id": "CVE-2018-7187", "lastModified": "2022-08-16T13:01:06.020", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": true, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-02-16T17:29:00.403", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/golang/go/issues/23867"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00029.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201804-12"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2019/dsa-4379"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2019/dsa-4380"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}