blob: e8a914c0d73c08567967cc581dac8957d0610905 [file] [log] [blame]
id: GO-2022-0203
modules:
- module: cmd
versions:
- fixed: 1.9.5
- introduced: 1.10.0-0
- fixed: 1.10.1
vulnerable_at: 1.10.0
packages:
- package: cmd/go
skip_fix: 'TODO: revisit this reason (cant request explicit version of standard library package cmd/go)'
summary: Remote command execution via "go get" command with "-insecure" option in cmd/go
description: |-
The "go get" command is vulnerable to remote code execution.
When the -insecure command-line option is used, "go get" does not validate the
import path (get/vcs.go only checks for "://" anywhere in the string), which
allows remote attackers to execute arbitrary OS commands via a crafted web site.
published: 2022-08-09T23:19:00Z
cves:
- CVE-2018-7187
credits:
- Arthur Khashaev
references:
- fix: https://go.dev/cl/94603
- fix: https://go.googlesource.com/go/+/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc
- report: https://go.dev/issue/23867
- web: https://groups.google.com/g/golang-announce/c/IkPkOF8JqLs/m/TFBbWHJYAwAJ
review_status: REVIEWED