| id: GO-2022-0190 |
| modules: |
| - module: cmd |
| versions: |
| - fixed: 1.10.6 |
| - introduced: 1.11.0-0 |
| - fixed: 1.11.3 |
| vulnerable_at: 1.11.2 |
| packages: |
| - package: cmd/go/internal/get |
| symbols: |
| - downloadPackage |
| skip_fix: 'TODO: revisit this reason (cant request explicit version v1.11.2 of standard library package cmd/go/internal/get' |
| summary: Directory traversal via "go get" command in cmd/go |
| description: |- |
| The "go get" command is vulnerable to directory traversal when executed with the |
| import path of a malicious Go package which contains curly brace (both '{' and |
| '}' characters). |
| |
| Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the |
| distinction is documented at |
| https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an |
| arbitrary filesystem write, which can lead to code execution. |
| published: 2022-08-02T15:44:23Z |
| cves: |
| - CVE-2018-16874 |
| credits: |
| - ztz of Tencent Security Platform |
| references: |
| - fix: https://go.dev/cl/154101 |
| - fix: https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3 |
| - report: https://go.dev/issue/29230 |
| - web: https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0 |
| review_status: REVIEWED |
