Remote Code Execution in Go Packages by Google
CVE-2018-16873

7.5HIGH

Key Information:

Vendor

[unknown]

Status
Golang
Vendor
CVE Published:
14 December 2018

What is CVE-2018-16873?

The Go programming language versions prior to 1.10.6 and 1.11.x before 1.11.3 are susceptible to a remote code execution vulnerability. When using the 'go get -u' command with a malicious Go package import path, it can lead to executing arbitrary Git commands on the host machine. This occurs when a custom domain tricks the system into treating a directory mimicking a Git repository as a legitimate repository root, allowing harmful operations defined in the repository's configuration files to be executed. This vulnerability highlights significant risks in GOPATH mode, emphasizing the importance of employing module mode for enhanced security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

golang 1.10.6

golang 1.11.3

References

http://www.securityfocus.com/bid/106226
vdb-entryx_refsource_BID
https://security.gentoo.org/glsa/201812-09
vendor-advisoryx_refsource_GENTOO
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873
x_refsource_CONFIRM

EPSS Score

60% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.