| id: GO-2022-0177 |
| modules: |
| - module: cmd |
| versions: |
| - fixed: 1.8.4 |
| - introduced: 1.9.0-0 |
| fixed: 1.9.1 |
| vulnerable_at: 1.9.0 |
| packages: |
| - package: cmd/go |
| skip_fix: 'TODO: revisit this reason (cant request explicit version of standard library package cmd/go)' |
| summary: Remote command execution via "go get" in cmd/go |
| description: |- |
| The "go get" command allows remote command execution. |
| |
| Using custom domains, it is possible to arrange things so that example.com/pkg1 |
| points to a Subversion repository but example.com/pkg1/pkg2 points to a Git |
| repository. If the Subversion repository includes a Git checkout in its pkg2 |
| directory and some other work is done to ensure the proper ordering of |
| operations, "go get" can be tricked into reusing this Git checkout for the fetch |
| of code from pkg2. If the Subversion repository's Git checkout has malicious |
| commands in .git/hooks/, they will execute on the system running "go get". |
| published: 2022-08-09T17:31:35Z |
| cves: |
| - CVE-2017-15041 |
| credits: |
| - Simon Rawet |
| references: |
| - fix: https://go.dev/cl/68110 |
| - fix: https://go.googlesource.com/go/+/ec71ee078fd3243b78c0d404c8634bd97e38d7eb |
| - report: https://go.dev/issue/22125 |
| - web: https://groups.google.com/g/golang-dev/c/RinSE3EiJBI/m/kYL7zb07AgAJ |
| review_status: REVIEWED |
