cbcvebase.
CVE-2018-7187
published 2018-02-16

CVE-2018-7187: The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://"…

PriorityP267high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
63.23%
99.1th percentile
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.

Affected

4 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
golanggo< 1.9.51.9.5
golanggo>= 1.10 < 1.10.11.10.1

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered when 'go get' is invoked with the -insecure flag and an unvalidated import path; detect use of 'go get -insecure' with non-standard or crafted VCS paths in process execution logs.
  • The vulnerable code path is in get/vcs.go; audit or monitor changes/calls to this file in Go toolchain deployments.
  • Upstream patch commit c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc can be used as a reference diff to build detection logic for unpatched Go toolchain binaries.
  • ·The vulnerability only manifests when the -insecure command-line option is explicitly passed to 'go get'; deployments not using -insecure are not affected.
  • ·Red Hat OpenShift Enterprise 3 is listed as Affected, while Red Hat Enterprise Linux 7 is 'Will not fix' and RHEL 8 / Ceph Storage 2 & 3 / Storage 3 are Not affected — scope detection efforts accordingly.
  • ·golang in Red Hat OpenStack 8 & 9 was provided as an unsupported technical preview only and is not intended for production; treat those environments as lower priority.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.