Published: 05/10/2017 Updated: 19/03/2021

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Go prior to 1.8.4 and 1.9.x prior to 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."

Vulnerable Product	Search on Vulmon	Subscribe to Product
golang go
golang go 1.9
debian debian linux 9.0
redhat developer tools 1.0
redhat enterprise linux eus 7.6
redhat enterprise linux eus 7.7
redhat enterprise linux server 7.0
redhat enterprise linux server aus 7.6
redhat enterprise linux server aus 7.7
redhat enterprise linux tus 7.6
redhat enterprise linux tus 7.7

Synopsis Moderate: go-toolset-7 and go-toolset-7-golang security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for go-toolset-7 and go-toolset-7-golang is now available for Red Hat Developer ToolsRed Hat Product Security has rated this update as having a security impact of Mo ...

Synopsis Moderate: golang security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for golang is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Syst ...

Arbitrary code execution during go get or go get -d:Go before 184 and 19x before 191 allows "go get" remote command execution Using custom domains, it is possible to arrange things so that examplecom/pkg1 points to a Subversion repository but examplecom/pkg1/pkg2 points to a Git repository If the Subversion repository includes a Git check ...

An arbitrary command execution flaw was found in the way Go's "go get" command handled the checkout of source code repositories A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side ...

Arbitrary code execution during go get or go get -dGo before 184 and 19x before 191 allows "go get" remote command execution Using custom domains, it is possible to arrange things so that examplecom/pkg1 points to a Subversion repository but examplecom/pkg1/pkg2 points to a Git repository If the Subversion repository includes a Git checko ...

Go before 184 and 19x before 191 allows "go get" remote command execution Using custom domains, it is possible to arrange things so that examplecom/pkg1 points to a Subversion repository but examplecom/pkg1/pkg2 points to a Git repository If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is don ...

NVD-CWE-noinfo https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ https://golang.org/cl/68190 https://golang.org/cl/68022 https://github.com/golang/go/issues/22125 http://www.securityfocus.com/bid/101196 https://security.gentoo.org/glsa/201710-23 https://access.redhat.com/errata/RHSA-2017:3463 https://access.redhat.com/errata/RHSA-2018:0878 https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html https://nvd.nist.gov https://access.redhat.com/errata/RHSA-2017:3463 https://alas.aws.amazon.com/ALAS-2017-918.html

CVE-2017-15041

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect