data/osv/GO-2022-0189.json - vulndb - Git at Google

 {
   "id": "GO-2022-0189",
   "published": "2022-08-04T21:30:35Z",
   "modified": "0001-01-01T00:00:00Z",
   "aliases": [
     "CVE-2018-16873"
   ],
   "details": "The \"go get\" command is vulnerable to remote code execution when executed\nwith the -u flag and the import path of a malicious Go package, or a\npackage that imports it directly or indirectly.\n\nSpecifically, it is only vulnerable in GOPATH mode, but not in module mode\n(the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get).\n\nUsing custom domains, it's possible to arrange things so that a Git\nrepository is cloned to a folder named \".git\" by using a vanity import path\nthat ends with \"/.git\". If the Git repository root contains a \"HEAD\" file,\na \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work\nto ensure the proper ordering of operations, \"go get -u\" can be tricked\ninto considering the parent directory as a repository root, and running Git\ncommands on it. That will use the \"config\" file in the original Git\nrepository root for its configuration, and if that config file contains\nmalicious commands, they will execute on the system running \"go get -u\".\n\nNote that forbidding import paths with a .git element might not be\nsufficient to mitigate this issue, as on certain systems there can be other\naliases for VCS state folders.\n",
   "affected": [
     {
       "package": {
         "name": "toolchain",
         "ecosystem": "Go"
       },
       "ranges": [
         {
           "type": "SEMVER",
           "events": [
             {
               "introduced": "0"
             },
             {
               "fixed": "1.10.6"
             },
             {
               "introduced": "1.11.0"
             },
             {
               "fixed": "1.11.3"
             }
           ]
         }
       ],
       "database_specific": {
         "url": "https://pkg.go.dev/vuln/GO-2022-0189"
       },
       "ecosystem_specific": {
         "imports": [
           {
             "path": "cmd/go/internal/get",
             "symbols": [
               "downloadPackage"
             ]
           }
         ]
       }
     }
   ],
   "references": [
     {
       "type": "FIX",
       "url": "https://go.dev/cl/154101"
     },
     {
       "type": "FIX",
       "url": "https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3"
     },
     {
       "type": "REPORT",
       "url": "https://go.dev/issue/29230"
     },
     {
       "type": "WEB",
       "url": "https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0"
     }
   ]
 }
	{
	"id": "GO-2022-0189",
	"published": "2022-08-04T21:30:35Z",
	"modified": "0001-01-01T00:00:00Z",
	"aliases": [
	"CVE-2018-16873"
	],
	"details": "The \"go get\" command is vulnerable to remote code execution when executed\nwith the -u flag and the import path of a malicious Go package, or a\npackage that imports it directly or indirectly.\n\nSpecifically, it is only vulnerable in GOPATH mode, but not in module mode\n(the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get).\n\nUsing custom domains, it's possible to arrange things so that a Git\nrepository is cloned to a folder named \".git\" by using a vanity import path\nthat ends with \"/.git\". If the Git repository root contains a \"HEAD\" file,\na \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work\nto ensure the proper ordering of operations, \"go get -u\" can be tricked\ninto considering the parent directory as a repository root, and running Git\ncommands on it. That will use the \"config\" file in the original Git\nrepository root for its configuration, and if that config file contains\nmalicious commands, they will execute on the system running \"go get -u\".\n\nNote that forbidding import paths with a .git element might not be\nsufficient to mitigate this issue, as on certain systems there can be other\naliases for VCS state folders.\n",
	"affected": [
	{
	"package": {
	"name": "toolchain",
	"ecosystem": "Go"
	},
	"ranges": [
	{
	"type": "SEMVER",
	"events": [
	{
	"introduced": "0"
	},
	{
	"fixed": "1.10.6"
	},
	{
	"introduced": "1.11.0"
	},
	{
	"fixed": "1.11.3"
	}
	]
	}
	],
	"database_specific": {
	"url": "https://pkg.go.dev/vuln/GO-2022-0189"
	},
	"ecosystem_specific": {
	"imports": [
	{
	"path": "cmd/go/internal/get",
	"symbols": [
	"downloadPackage"
	]
	}
	]
	}
	}
	],
	"references": [
	{
	"type": "FIX",
	"url": "https://go.dev/cl/154101"
	},
	{
	"type": "FIX",
	"url": "https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3"
	},
	{
	"type": "REPORT",
	"url": "https://go.dev/issue/29230"
	},
	{
	"type": "WEB",
	"url": "https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0"
	}
	]
	}