In Go prior to 1.10.6 and 1.11.x prior to 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
golang go |
||
opensuse leap 42.3 |
||
opensuse leap 15.0 |
||
opensuse leap 15.1 |
||
suse linux enterprise server 12 |
||
opensuse backports sle 15.0 |
||
debian debian linux 9.0 |