| modules: |
| - module: cmd |
| versions: |
| - fixed: 1.10.6 |
| - introduced: 1.11.0 |
| fixed: 1.11.3 |
| vulnerable_at: 1.11.2 |
| packages: |
| - package: cmd/go/internal/get |
| symbols: |
| - downloadPackage |
| description: | |
| The "go get" command is vulnerable to directory traversal when executed |
| with the import path of a malicious Go package which contains curly brace |
| (both '{' and '}' characters). |
| |
| Specifically, it is only vulnerable in GOPATH mode, but not in module mode |
| (the distinction is documented at |
| https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause |
| an arbitrary filesystem write, which can lead to code execution. |
| published: 2022-08-02T15:44:23Z |
| cves: |
| - CVE-2018-16874 |
| credit: ztz of Tencent Security Platform |
| references: |
| - fix: https://go.dev/cl/154101 |
| - fix: https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3 |
| - report: https://go.dev/issue/29230 |
| - web: https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0 |
