CVE-2018-6574

Description

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

CVSS Metrics

• v3.0•HIGH•Score: 7.8CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•MEDIUM•Score: 4.6AV:L/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 36.79%• Percentile: 97%

Techniques & Countermeasures

• CWE-94•Improper Control of Generation of Code ('Code Injection')

  The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Affected Systems

• debian•debian_linux

  9.0

• golang•go

  ≤ 1.8.6 | 1.9 | 1.9.1 | 1.9.2 | 1.9.3 | 1.10:beta1 | 1.10:beta2 | 1.10:rc1

• Go•toolchain

  ≥ 1.9.0-0, < 1.9.4

• redhat•enterprise_linux_server

  7.0

• redhat•enterprise_linux_server_aus

  7.6

• redhat•enterprise_linux_server_eus

  7.6

• redhat•enterprise_linux_server_tus

  7.6

References (10)

• https://access.redhat.com/errata/RHSA-2018:1304
• https://access.redhat.com/errata/RHSA-2018:0878
• https://www.debian.org/security/2019/dsa-4380
• https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574
• https://groups.google.com/forum/#%21topic/golang-nuts/sprOaQ5m3Dk
• https://github.com/golang/go/issues/23672
• https://groups.google.com/forum/#%21topic/golang-nuts/Gbhh1NxAjMU
• https://go.googlesource.com/go/+/1dcb5836ad2c60776561da2923c70576ba2eefc6
• https://go.dev/issue/23672
• https://groups.google.com/g/golang-nuts/c/Gbhh1NxAjMU