CVE-2018-16874
Last modified
CVE-2018-16874 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). EPSS estimates a 5.04% chance of exploitation in the next 30 days.
Description
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Golang | Go | < 1.10.6 |
| Golang | Go | >= 1.11.0, < 1.11.3 |
| Opensuse | Backports Sle | 15.0 |
| Opensuse | Leap | 15.0 |
| Opensuse | Leap | 15.1 |
| Opensuse | Leap | 42.3 |
| Suse | Linux Enterprise Server | 12 |
| Debian | Debian Linux | 9.0 |
References
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.htmlMailing List, Third Party Advisory
- http://www.securityfocus.com/bid/106228Third Party Advisory, VDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16874Issue Tracking, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/03/msg00014.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/03/msg00015.htmlMailing List, Third Party Advisory
- https://security.gentoo.org/glsa/201812-09Mitigation, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.htmlMailing List, Third Party Advisory
- http://www.securityfocus.com/bid/106228Third Party Advisory, VDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16874Issue Tracking, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/03/msg00014.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/03/msg00015.htmlMailing List, Third Party Advisory
- https://security.gentoo.org/glsa/201812-09Mitigation, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-16874?
How severe is CVE-2018-16874?
How do I fix CVE-2018-16874?
Are you affected by CVE-2018-16874?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST