data/reports/GO-2022-0203.yaml - vulndb - Git at Google

 modules:
   - module: cmd
     versions:
       - fixed: 1.9.5
       - introduced: 1.10.0
         fixed: 1.10.1
     vulnerable_at: 1.10.0
     packages:
       - package: cmd/go
         skip_fix: 'TODO: revisit this reason (cant request explicit version of standard
             library package cmd/go)'
 description: |
     The "go get" command is vulnerable to remote code execution.

     When the -insecure command-line option is used, "go get" does not validate
     the import path (get/vcs.go only checks for "://" anywhere in the string),
     which allows remote attackers to execute arbitrary OS commands via a
     crafted web site.
 published: 2022-08-09T23:19:00Z
 cves:
   - CVE-2018-7187
 credit: Arthur Khashaev
 references:
   - fix: https://go.dev/cl/94603
   - fix: https://go.googlesource.com/go/+/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc
   - report: https://go.dev/issue/23867
   - web: https://groups.google.com/g/golang-announce/c/IkPkOF8JqLs/m/TFBbWHJYAwAJ
	modules:
	- module: cmd
	versions:
	- fixed: 1.9.5
	- introduced: 1.10.0
	fixed: 1.10.1
	vulnerable_at: 1.10.0
	packages:
	- package: cmd/go
	skip_fix: 'TODO: revisit this reason (cant request explicit version of standard
	library package cmd/go)'
	description: \|
	The "go get" command is vulnerable to remote code execution.

	When the -insecure command-line option is used, "go get" does not validate
	the import path (get/vcs.go only checks for "://" anywhere in the string),
	which allows remote attackers to execute arbitrary OS commands via a
	crafted web site.
	published: 2022-08-09T23:19:00Z
	cves:
	- CVE-2018-7187
	credit: Arthur Khashaev
	references:
	- fix: https://go.dev/cl/94603
	- fix: https://go.googlesource.com/go/+/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc
	- report: https://go.dev/issue/23867
	- web: https://groups.google.com/g/golang-announce/c/IkPkOF8JqLs/m/TFBbWHJYAwAJ