CVE-2018-16874

Public on 2018-12-14
Modified on 2018-12-14
Description
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
Severity
Medium
CVSS v3 Base Score
6.8
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 golang 2018-12-14 18:50 ALAS-2018-1130

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 6.8 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
NVD CVSSv2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
NVD CVSSv3 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H