Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
829
VMScore

CVE-2018-7187

Published: 16/02/2018 Updated: 16/08/2022
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 829
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Subscribe to Go

Vulnerability Summary

The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote malicious users to execute arbitrary OS commands via a crafted web site.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

golang go

debian debian linux 7.0

debian debian linux 9.0

Vendor Advisories

Debian CVElist Bug Report Logs: golang-1.9: CVE-2018-7187: arbitrary command execution via VCS path
Debian Bug report logs - #895663 golang-19: CVE-2018-7187: arbitrary command execution via VCS path Package: src:golang-19; Maintainer for src:golang-19 is (unknown); Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 14 Apr 2018 08:51:01 UTC Severity: important Tags: fixed-upstream, security, upstream Fo ...
Amazon Linux AMI: ALAS-2018-975
Arbitrary code execution during "go get" via C compiler options:An arbitrary command execution flaw was found in the way Go's "go get" command handled gcc and clang sensitive options during the build A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side ...
Red Hat: CVE-2018-7187
The "go get" implementation in Go 194, when the -insecure command-line option is used, does not validate the import path (get/vcsgo only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site ...

References

CWE-78https://github.com/golang/go/issues/23867https://lists.debian.org/debian-lts-announce/2018/02/msg00029.htmlhttps://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffchttps://security.gentoo.org/glsa/201804-12https://www.debian.org/security/2019/dsa-4380https://www.debian.org/security/2019/dsa-4379https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895663https://nvd.nist.govhttps://alas.aws.amazon.com/ALAS-2018-975.html
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-30924CVE-2024-3400overflowCVE-2024-23528CVE-2024-21338CVE-2024-3818CVE-2024-23535NULL pointer dereferenceelevation of privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook