CVE-2018-7187 — OS Command Injection in GO

CWE-78 — OS Command Injection CWE-20 — Improper Input Validation9 documents6 sources

Severity

8.8HIGHNVD

EPSS

7.6%

top 8.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO Debian Linux

Timeline

PublishedFeb 16

Latest updateAug 9

Description

The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDgolang/go1.10 — 1.10.1+1

Also affects: Debian Linux 7.0, 9.0

🔴Vulnerability Details

OSV

Remote command execution via "go get" command with "-insecure" option in cmd/go↗2022-08-09

▶

GHSA

GHSA-44r2-v58f-9q85: The "go get" implementation in Go 1↗2022-05-14

▶

CVEList

CVE-2018-7187: The "go get" implementation in Go 1↗2018-02-16

▶

OSV

CVE-2018-7187: The "go get" implementation in Go 1↗2018-02-16

▶

📋Vendor Advisories

Red Hat

golang: arbitrary command execution via VCS path↗2018-02-16

▶

💬Community

Bugzilla

CVE-2018-7187 golang: arbitrary command execution via VCS path [epel-6]↗2018-02-16

▶

Bugzilla

CVE-2018-7187 golang: arbitrary command execution via VCS path↗2018-02-16

▶

Bugzilla

CVE-2018-7187 golang: arbitrary command execution via VCS path [fedora-all]↗2018-02-16

▶