Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-16873

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u".

Published

2018-12-14T14:29:00.227

Last Modified

2024-11-21T03:53:29.973

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.1 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Primary
CWE-20
Type: Secondary
CWE-20

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	golang	go	< 1.10.6	Yes
Application	golang	go	< 1.11.3	Yes
Application	opensuse	backports_sle	15.0	Yes
Operating System	opensuse	leap	15.0	Yes
Operating System	opensuse	leap	15.1	Yes
Operating System	opensuse	leap	42.3	Yes
Operating System	suse	linux_enterprise_server	12	Yes
Operating System	debian	debian_linux	9.0	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html Mailing List, Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/106226 Third Party Advisory, VDB Entry ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873 Issue Tracking, Third Party Advisory ([email protected])
https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0 ([email protected])
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html Mailing List, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html Mailing List, Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/201812-09 Mitigation, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/106226 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0 (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/201812-09 Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)