9.3
CVSSv2

CVE-2018-7187

Published: 16/02/2018 Updated: 28/02/2019
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 828
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote malicious users to execute arbitrary OS commands via a crafted web site.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

golang go

debian debian linux 7.0

debian debian linux 9.0

Vendor Advisories

Debian Bug report logs - #895663 golang-19: CVE-2018-7187: arbitrary command execution via VCS path Package: src:golang-19; Maintainer for src:golang-19 is (unknown); Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 14 Apr 2018 08:51:01 UTC Severity: important Tags: fixed-upstream, security, upstream Fo ...
The "go get" implementation in Go 194, when the -insecure command-line option is used, does not validate the import path (get/vcsgo only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site ...
Arbitrary code execution during "go get" via C compiler options:An arbitrary command execution flaw was found in the way Go's "go get" command handled gcc and clang sensitive options during the build A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4379-1 security () debian org wwwdebianorg/security/ Moritz Muehlenhoff February 01, 2019 wwwdebianorg/security/faq ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4380-1 security () debian org wwwdebianorg/security/ Moritz Muehlenhoff February 01, 2019 wwwdebianorg/security/faq ...

Github Repositories

This code is for exploiting CVE-2018-7187