CVE-2018-6574 — Code Injection in GO

CWE-94 — Code Injection CWE-20 — Improper Input Validation9 documents6 sources

Severity

7.8HIGHNVD

EPSS

36.8%

top 2.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO Debian Linux Redhat Enterprise Linux Server +3 more

Timeline

PublishedFeb 7

Latest updateAug 9

Description

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDgolang/go1.8.6+5

▶NVDredhat/enterprise_linux_server7.0

Also affects: Debian Linux 9.0, Enterprise Linux 7.6

🔴Vulnerability Details

OSV

Remote command execution via "go get" command with cgo in cmd/go↗2022-08-09

▶

GHSA

GHSA-c37c-qq99-c897: Go before 1↗2022-05-13

▶

OSV

CVE-2018-6574: Go before 1↗2018-02-07

▶

CVEList

CVE-2018-6574: Go before 1↗2018-02-07

▶

📋Vendor Advisories

Red Hat

golang: arbitrary code execution during "go get" via C compiler options↗2018-02-07

▶

💬Community

Bugzilla

CVE-2018-6574 golang: arbitrary code execution during "go get" via C compiler options [fedora-all]↗2018-02-08

▶

Bugzilla

CVE-2018-6574 golang: arbitrary code execution during "go get" via C compiler options [epel-6]↗2018-02-08

▶

Bugzilla

CVE-2018-6574 golang: arbitrary code execution during "go get" via C compiler options↗2018-02-08

▶