The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
References
Link | Resource |
---|---|
https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc | Third Party Advisory |
https://github.com/golang/go/issues/23867 | Exploit Issue Tracking Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2018/02/msg00029.html | Mailing List Third Party Advisory |
https://security.gentoo.org/glsa/201804-12 | Third Party Advisory |
https://www.debian.org/security/2019/dsa-4379 | Third Party Advisory |
https://www.debian.org/security/2019/dsa-4380 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2018-02-16T17:00:00
Updated: 2019-02-02T10:57:01
Reserved: 2018-02-16T00:00:00
Link: CVE-2018-7187
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-02-16T17:29:00.403
Modified: 2022-08-16T13:01:06.020
Link: CVE-2018-7187
JSON object: View
Redhat Information
No data.
CWE