#VU12162 Command injection in Go programming language - CVE-2018-6574
Published: April 25, 2018 / Updated: May 27, 2022
Vulnerability identifier: #VU12162
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2018-6574
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Go programming language
Go programming language
Software vendor:
Google
Description
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The weakness exists due to "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. A remote attacker can execute arbitrary commands.
The weakness exists due to "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. A remote attacker can execute arbitrary commands.
Remediation
Update to versions 1.8.7, 1.9.4 or 1.10rc2.