CVE-2018-7187
published 2018-02-16CVE-2018-7187: The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://"…
PriorityP267high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
63.23%
99.1th percentile
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| golang | go | < 1.9.5 | 1.9.5 |
| golang | go | >= 1.10 < 1.10.1 | 1.10.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered when 'go get' is invoked with the -insecure flag and an unvalidated import path; detect use of 'go get -insecure' with non-standard or crafted VCS paths in process execution logs. ↗
- →The vulnerable code path is in get/vcs.go; audit or monitor changes/calls to this file in Go toolchain deployments. ↗
- →Upstream patch commit c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc can be used as a reference diff to build detection logic for unpatched Go toolchain binaries. ↗
- ·The vulnerability only manifests when the -insecure command-line option is explicitly passed to 'go get'; deployments not using -insecure are not affected. ↗
- ·Red Hat OpenShift Enterprise 3 is listed as Affected, while Red Hat Enterprise Linux 7 is 'Will not fix' and RHEL 8 / Ceph Storage 2 & 3 / Storage 3 are Not affected — scope detection efforts accordingly. ↗
- ·golang in Red Hat OpenStack 8 & 9 was provided as an unsupported technical preview only and is not intended for production; treat those environments as lower priority. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
golang: arbitrary command execution via VCS path
vendor_redhat·2018-02-16·CVSS 8.8
CVE-2018-7187 [HIGH] CWE-20 golang: arbitrary command execution via VCS path
golang: arbitrary command execution via VCS path
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
Package: golang (Red Hat Ceph Storage 2) - Not affected
Package: golang (Red Hat Ceph Storage 3) - Not affected
Package: golang (Red Hat Enterprise Linux 7) - Will not fix
Package: golang (Red Hat Enterprise Linux 8) - Not affected
Package: golang (Red Hat OpenShift Enterprise 3) - Affected
Package: golang (Red Hat OpenStack Platform 8 (Liberty) Operational Tools) - Will not fix
Package: golang (Red Hat OpenStack Platform 9 (Mitaka) Operational Tools) - Will not fix
Pa
OSV
Remote command execution via "go get" command with "-insecure" option in cmd/go
osv·2022-08-09
CVE-2018-7187 Remote command execution via "go get" command with "-insecure" option in cmd/go
Remote command execution via "go get" command with "-insecure" option in cmd/go
The "go get" command is vulnerable to remote code execution.
When the -insecure command-line option is used, "go get" does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
GHSA
GHSA-44r2-v58f-9q85: The "go get" implementation in Go 1
ghsa_unreviewed·2022-05-14
CVE-2018-7187 [HIGH] CWE-78 GHSA-44r2-v58f-9q85: The "go get" implementation in Go 1
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
OSV
CVE-2018-7187: The "go get" implementation in Go 1
osv·2018-02-16·CVSS 8.8
CVE-2018-7187 [HIGH] CVE-2018-7187: The "go get" implementation in Go 1
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-7187 golang: arbitrary command execution via VCS path [epel-6]
bugzilla·2018-02-16·CVSS 8.8
CVE-2018-7187 [HIGH] CVE-2018-7187 golang: arbitrary command execution via VCS path [epel-6]
CVE-2018-7187 golang: arbitrary command execution via VCS path [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg upd
Bugzilla
CVE-2018-7187 golang: arbitrary command execution via VCS path
bugzilla·2018-02-16·CVSS 8.8
CVE-2018-7187 [HIGH] CVE-2018-7187 golang: arbitrary command execution via VCS path
CVE-2018-7187 golang: arbitrary command execution via VCS path
A flaw was found in Go Lang. The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
External References:
https://github.com/golang/go/issues/23867
Upstream Patch:
https://github.com/golang/go/commit/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc
Discussion:
Created golang tracking bugs for this issue:
Affects: epel-6 [bug 1546387]
Affects: fedora-all [bug 1546388]
---
golang was included in Red Hat OpenStack 8 & 9 operational tools only as a technical preview for customers, it was provided without support and is no
Bugzilla
CVE-2018-7187 golang: arbitrary command execution via VCS path [fedora-all]
bugzilla·2018-02-16·CVSS 8.8
CVE-2018-7187 [HIGH] CVE-2018-7187 golang: arbitrary command execution via VCS path [fedora-all]
CVE-2018-7187 golang: arbitrary command execution via VCS path [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions o
https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffchttps://github.com/golang/go/issues/23867https://lists.debian.org/debian-lts-announce/2018/02/msg00029.htmlhttps://security.gentoo.org/glsa/201804-12https://www.debian.org/security/2019/dsa-4379https://www.debian.org/security/2019/dsa-4380https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffchttps://github.com/golang/go/issues/23867https://lists.debian.org/debian-lts-announce/2018/02/msg00029.htmlhttps://security.gentoo.org/glsa/201804-12https://www.debian.org/security/2019/dsa-4379https://www.debian.org/security/2019/dsa-4380
2018-02-16
Published