6.8
CVSSv2

CVE-2018-16874

Published: 14/12/2018 Updated: 03/06/2019
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2
VMScore: 605
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

In Go prior to 1.10.6 and 1.11.x prior to 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

golang go

opensuse leap 42.3

Vendor Advisories

In Go before 1106 and 111x before 1113, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters) Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at golangor ...
In Go before 1106 and 111x before 1113, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters) Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at golangor ...
In Go before 1106 and 111x before 1113, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at http ...
Arch Linux Security Advisory ASA-201812-11 ========================================== Severity: High Date : 2018-12-18 CVE-ID : CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 Package : go Type : multiple issues Remote : Yes Link : securityarchlinuxorg/AVG-835 Summary ======= The package go before version 2:1113-1 is vulnerab ...
Arch Linux Security Advisory ASA-201812-12 ========================================== Severity: High Date : 2018-12-18 CVE-ID : CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 Package : go-pie Type : multiple issues Remote : Yes Link : securityarchlinuxorg/AVG-835 Summary ======= The package go-pie before version 2:1113-1 is ...

Github Repositories

docker release version 2020-11-09 2501 Upgrades Compose CLI v102 Snyk v14242 Bug fixes and minor changes Fixed an issue that caused Docker Desktop to crash on MacOS 110 (Big Sur) when VirtualBox was also installed See docker/for-mac#4997 2020-11-09 2500 This release contains a Kubernetes upgrade Your local Kubernetes cluster will be reset after install