CVE-2018-16874Improper Input Validation in GO

CWE-20Improper Input ValidationCWE-22Path Traversal10 documents6 sources
Severity
8.1HIGHNVD
EPSS
5.7%
top 9.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Golang GODebian LinuxOpensuse Backports SLE+2 more
Timeline
PublishedDec 14
Latest updateAug 2

Description

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages4 packages

NVDgolang/go1.11.01.11.3+1
NVDopensuse/leap15.0, 15.1, 42.3+2

Also affects: Debian Linux 9.0

🔴Vulnerability Details

4
OSV
Directory traversal via "go get" command in cmd/go2022-08-02
GHSA
GHSA-7p6h-w6m6-5fm2: In Go before 12022-05-13
CVEList
CVE-2018-16874: In Go before 12018-12-14
OSV
CVE-2018-16874: In Go before 12018-12-14

📋Vendor Advisories

1
Red Hat
golang: "go get" vulnerable to directory traversal via malicious package2018-12-13

💬Community

4
Bugzilla
CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 golang: various flaws [epel-all]2019-01-08
Bugzilla
CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 golang:1.10/golang: various flaws [fedora-all]2019-01-04
Bugzilla
CVE-2018-16874 golang: "go get" vulnerable to directory traversal via malicious package [fedora-all]2018-12-14
Bugzilla
CVE-2018-16874 golang: "go get" vulnerable to directory traversal via malicious package2018-12-10
CVE-2018-16874 — Improper Input Validation in Golang GO | cvebase