[{"id":"GO-2021-0068","published":"2021-04-14T20:04:52Z","modified":"2022-10-26T17:44:45Z","aliases":["CVE-2021-3115"],"details":"The go command may execute arbitrary code at build time when using cgo on Windows. This can be triggered by running go get on a malicious module, or any other time the code is built.","affected":[{"package":{"name":"toolchain","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.14.14"},{"introduced":"1.15.0"},{"fixed":"1.15.7"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0068"},"ecosystem_specific":{"imports":[{"path":"cmd/go","goos":["windows"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/284783"},{"type":"FIX","url":"https://go.googlesource.com/go/+/953d1feca9b21af075ad5fc8a3dad096d3ccc3a0"},{"type":"REPORT","url":"https://go.dev/issue/43783"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/mperVMGa98w/m/yo5W5wnvAAAJ"},{"type":"FIX","url":"https://go.dev/cl/284780"},{"type":"FIX","url":"https://go.googlesource.com/go/+/46e2e2e9d99925bbf724b12693c6d3e27a95d6a0"}],"credits":[{"name":"RyotaK"}]},{"id":"GO-2022-0177","published":"2022-08-09T17:31:35Z","modified":"2022-10-26T17:44:45Z","aliases":["CVE-2017-15041"],"details":"The \"go get\" command allows remote command execution.\n\nUsing custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, \"go get\" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running \"go get\".","affected":[{"package":{"name":"toolchain","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.8.4"},{"introduced":"1.9.0"},{"fixed":"1.9.1"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0177"},"ecosystem_specific":{"imports":[{"path":"cmd/go"}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/68110"},{"type":"FIX","url":"https://go.googlesource.com/go/+/ec71ee078fd3243b78c0d404c8634bd97e38d7eb"},{"type":"REPORT","url":"https://go.dev/issue/22125"},{"type":"WEB","url":"https://groups.google.com/g/golang-dev/c/RinSE3EiJBI/m/kYL7zb07AgAJ"}],"credits":[{"name":"Simon Rawet"}]},{"id":"GO-2022-0189","published":"2022-08-04T21:30:35Z","modified":"2022-10-26T17:44:45Z","aliases":["CVE-2018-16873"],"details":"The \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly.\n\nSpecifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get).\n\nUsing custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\".\n\nNote that forbidding import paths with a .git element might not be sufficient to mitigate this issue, as on certain systems there can be other aliases for VCS state folders.","affected":[{"package":{"name":"toolchain","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.10.6"},{"introduced":"1.11.0"},{"fixed":"1.11.3"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0189"},"ecosystem_specific":{"imports":[{"path":"cmd/go/internal/get","symbols":["downloadPackage"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/154101"},{"type":"FIX","url":"https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3"},{"type":"REPORT","url":"https://go.dev/issue/29230"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0"}],"credits":[{"name":"Etienne Stalmans of Heroku"}]},{"id":"GO-2022-0190","published":"2022-08-02T15:44:23Z","modified":"2022-10-26T17:44:45Z","aliases":["CVE-2018-16874"],"details":"The \"go get\" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly brace (both '{' and '}' characters).\n\nSpecifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.","affected":[{"package":{"name":"toolchain","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.10.6"},{"introduced":"1.11.0"},{"fixed":"1.11.3"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0190"},"ecosystem_specific":{"imports":[{"path":"cmd/go/internal/get","symbols":["downloadPackage"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/154101"},{"type":"FIX","url":"https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3"},{"type":"REPORT","url":"https://go.dev/issue/29230"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0"}],"credits":[{"name":"ztz of Tencent Security Platform"}]},{"id":"GO-2022-0201","published":"2022-08-09T18:15:41Z","modified":"2022-10-26T17:44:45Z","aliases":["CVE-2018-6574"],"details":"The \"go get\" command with cgo is vulnerable to remote command execution by leveraging the gcc or clang plugin feature.\n\nWhen cgo is enabled, the build step during \"go get\" invokes the host C compiler, gcc or clang, adding compiler flags specified in the Go source files. Both gcc and clang support a plugin mechanism in which a shared-library plugin is loaded into the compiler, as directed by compiler flags. This means that a Go package repository can contain an attack.so file along with a Go source file that says (for example) \"// #cgo CFLAGS: -fplugin=attack.so\" causing the attack plugin to be loaded into the host C compiler during the build. Gcc and clang plugins are completely unrestricted in their access to the host system.","affected":[{"package":{"name":"toolchain","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.8.7"},{"introduced":"1.9.0"},{"fixed":"1.9.4"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0201"},"ecosystem_specific":{"imports":[{"path":"cmd/go"}]}}],"references":[{"type":"FIX","url":"https://go.googlesource.com/go/+/1dcb5836ad2c60776561da2923c70576ba2eefc6"},{"type":"REPORT","url":"https://go.dev/issue/23672"},{"type":"WEB","url":"https://groups.google.com/g/golang-nuts/c/Gbhh1NxAjMU"}],"credits":[{"name":"Christopher Brown of Mattermost"}]},{"id":"GO-2022-0203","published":"2022-08-09T23:19:00Z","modified":"2022-10-26T17:44:45Z","aliases":["CVE-2018-7187"],"details":"The \"go get\" command is vulnerable to remote code execution.\n\nWhen the -insecure command-line option is used, \"go get\" does not validate the import path (get/vcs.go only checks for \"://\" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.","affected":[{"package":{"name":"toolchain","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.9.5"},{"introduced":"1.10.0"},{"fixed":"1.10.1"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0203"},"ecosystem_specific":{"imports":[{"path":"cmd/go"}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/94603"},{"type":"FIX","url":"https://go.googlesource.com/go/+/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc"},{"type":"REPORT","url":"https://go.dev/issue/23867"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/IkPkOF8JqLs/m/TFBbWHJYAwAJ"}],"credits":[{"name":"Arthur Khashaev"}]},{"id":"GO-2022-0247","published":"2022-05-24T20:14:28Z","modified":"2022-10-26T17:44:45Z","aliases":["CVE-2021-38297"],"details":"When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments due to a buffer overflow error.\n\nIf using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any modules.","affected":[{"package":{"name":"toolchain","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.16.9"},{"introduced":"1.17.0"},{"fixed":"1.17.2"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0247"},"ecosystem_specific":{"imports":[{"path":"cmd/link","goos":["js"],"goarch":["wasm"],"symbols":["Link.address"]},{"path":"misc/wasm","goos":["js"],"goarch":["wasm"],"symbols":["run"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/354571"},{"type":"FIX","url":"https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4"},{"type":"REPORT","url":"https://go.dev/issue/48797"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/AEBu9j7yj5A"}],"credits":[{"name":"Ben Lubar"}]},{"id":"GO-2022-0318","published":"2022-08-01T22:20:42Z","modified":"2022-10-26T17:44:45Z","aliases":["CVE-2022-23773"],"details":"Incorrect access control is possible in the go command.\n\nThe go command can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is authorized to create branches but not tags.","affected":[{"package":{"name":"toolchain","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.16.14"},{"introduced":"1.17.0"},{"fixed":"1.17.7"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0318"},"ecosystem_specific":{"imports":[{"path":"cmd/go/internal/modfetch","symbols":["codeRepo.convert","codeRepo.validatePseudoVersion"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/378400"},{"type":"FIX","url":"https://go.googlesource.com/go/+/fa4d9b8e2bc2612960c80474fca83a4c85a974eb"},{"type":"REPORT","url":"https://go.dev/issue/35671"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/SUsQn0aSgPQ"}]},{"id":"GO-2022-0475","published":"2022-07-28T17:24:30Z","modified":"2022-10-26T17:44:45Z","aliases":["CVE-2020-28366"],"details":"The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code.\n\nThis can be caused by malicious unquoted symbol name in a linked object file.","affected":[{"package":{"name":"toolchain","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.14.12"},{"introduced":"1.15.0"},{"fixed":"1.15.5"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0475"},"ecosystem_specific":{"imports":[{"path":"cmd/go","symbols":["Builder.cgo"]},{"path":"cmd/cgo","symbols":["dynimport"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/269658"},{"type":"FIX","url":"https://go.googlesource.com/go/+/062e0e5ce6df339dc26732438ad771f73dbf2292"},{"type":"REPORT","url":"https://go.dev/issue/42559"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM"}],"credits":[{"name":"Chris Brown and Tempus Ex"}]},{"id":"GO-2022-0476","published":"2022-07-28T17:24:43Z","modified":"2022-10-26T17:44:45Z","aliases":["CVE-2020-28367"],"details":"The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code.\n\nThis can be caused by malicious gcc flags specified via a cgo directive.","affected":[{"package":{"name":"toolchain","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.14.12"},{"introduced":"1.15.0"},{"fixed":"1.15.5"}]}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0476"},"ecosystem_specific":{"imports":[{"path":"cmd/go","symbols":["validCompilerFlags"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/267277"},{"type":"FIX","url":"https://go.googlesource.com/go/+/da7aa86917811a571e6634b45a457f918b8e6561"},{"type":"REPORT","url":"https://go.dev/issue/42556"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM"}],"credits":[{"name":"Imre Rad"}]}] |