CVE-2018-16873

CWE-20 — Improper Input Validation10 documents6 sources

Severity

8.1HIGH

EPSS

56.8%

top 1.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO [unknown] Golang Debian Debian Linux +3 more

Timeline

PublishedDec 14

Latest updateAug 4

Description

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder …

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages6 packages

▶NVDgolang/go1.11.0 — 1.11.3+1

▶CVEListV5[unknown]/golang1.10.6, 1.11.3+1

▶Gotoolchain1.11.0-0 — 1.11.3+1

▶NVDopensuse/leap15.0, 15.1, 42.3+2

▶NVDopensuse/backports_sle15.0

Also affects: Debian Linux 9.0

🔴Vulnerability Details

OSV

Remote command execution via "go get" with "-u" flag in cmd/go↗2022-08-04

▶

GHSA

GHSA-q6pp-3q54-qw37: In Go before 1↗2022-05-13

▶

OSV

CVE-2018-16873: In Go before 1↗2018-12-14

▶

CVEList

CVE-2018-16873: In Go before 1↗2018-12-14

▶

📋Vendor Advisories

Red Hat

golang: "go get" command vulnerable to RCE via import of malicious package↗2018-12-13

▶

💬Community

Bugzilla

CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 golang: various flaws [epel-all]↗2019-01-08

▶

Bugzilla

CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 golang:1.10/golang: various flaws [fedora-all]↗2019-01-04

▶

Bugzilla

CVE-2018-16873 golang: "go get" command vulnerable to RCE via import of malicious package [fedora-all]↗2018-12-14

▶

Bugzilla

CVE-2018-16873 golang: "go get" command vulnerable to RCE via import of malicious package↗2018-12-10

▶