CVE-2018-7187
Aliases:GO-2022-0203
Advisory lineage Upstream: 0 Downstream: 9
Modified
Published: 16 Feb 2018, 17:00
Last modified:05 Aug 2024, 06:24
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.3 HIGH
v2.0 (nvd)
EPSS Score
7.59% LOW
8% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
16 Feb 2018, 17:00
Published
Vulnerability first disclosed
05 Aug 2024, 06:24
Last Modified
Vulnerability information updated
Description
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
CVSS Metrics
- v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- v2.0•HIGH•Score: 9.3AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS Trends
Current EPSS score: 7.59%• Percentile: 92%
Techniques & Countermeasures
- CWE-78•Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Affected Systems
- debian•debian_linux
7.0 | 9.0
- golang•go
< 1.9.5 | ≥ 1.10, < 1.10.1
- Go•toolchain
≥ 1.10.0-0, < 1.10.1
References (10)
- https://lists.debian.org/debian-lts-announce/2018/02/msg00029.html
- https://www.debian.org/security/2019/dsa-4380
- https://security.gentoo.org/glsa/201804-12
- https://www.debian.org/security/2019/dsa-4379
- https://github.com/golang/go/issues/23867
- https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc
- https://go.dev/cl/94603
- https://go.googlesource.com/go/+/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc
- https://go.dev/issue/23867
- https://groups.google.com/g/golang-announce/c/IkPkOF8JqLs/m/TFBbWHJYAwAJ