Main Vulnerability Database Vulnerabilities #VU16545

Command injection in Go programming language - CVE-2018-16873

Published: December 14, 2018

Vulnerability identifier: #VU16545

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-16873

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Google

Affected software:
Go programming language

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists in the go get command due to import path of a malicious Go package, or a package that imports it directly or indirectly. A remote unauthenticated attacker can use a vanity import path that ends with "/.git", use custom domains to arrange things so that a Git repository is cloned to a folder named ".git", trick the victim into considering the parent directory as a repository root, and run Git commands on it that will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, and execute arbitrary code on the system running "go get -u".

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to mitigate CVE-2018-16873

The vulnerability has been fixed in the version 1.10.6, 1.11.3.

Sources

https://github.com/golang/go/issues/29230

Command injection in Go programming language - CVE-2018-16873

Detailed vulnerability description

How to mitigate CVE-2018-16873

Sources

Please verify you're human