Command injection in Go programming language - CVE-2018-6574
Published: April 25, 2018 / Updated: May 27, 2022
Vulnerability identifier: #VU12162
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2018-6574
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Google
Affected software:
Go programming language
Go programming language
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The weakness exists due to "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. A remote attacker can execute arbitrary commands.
The weakness exists due to "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. A remote attacker can execute arbitrary commands.
How to mitigate CVE-2018-6574
Update to versions 1.8.7, 1.9.4 or 1.10rc2.