| id: GO-2022-0203 |
| modules: |
| - module: cmd |
| versions: |
| - fixed: 1.9.5 |
| - introduced: 1.10.0-0 |
| - fixed: 1.10.1 |
| vulnerable_at: 1.10.0 |
| packages: |
| - package: cmd/go |
| skip_fix: 'TODO: revisit this reason (cant request explicit version of standard library package cmd/go)' |
| summary: Remote command execution via "go get" command with "-insecure" option in cmd/go |
| description: |- |
| The "go get" command is vulnerable to remote code execution. |
| |
| When the -insecure command-line option is used, "go get" does not validate the |
| import path (get/vcs.go only checks for "://" anywhere in the string), which |
| allows remote attackers to execute arbitrary OS commands via a crafted web site. |
| published: 2022-08-09T23:19:00Z |
| cves: |
| - CVE-2018-7187 |
| credits: |
| - Arthur Khashaev |
| references: |
| - fix: https://go.dev/cl/94603 |
| - fix: https://go.googlesource.com/go/+/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc |
| - report: https://go.dev/issue/23867 |
| - web: https://groups.google.com/g/golang-announce/c/IkPkOF8JqLs/m/TFBbWHJYAwAJ |
| review_status: REVIEWED |