In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2024-08-05T10:32:54.222Z

Reserved: 2018-09-11T00:00:00

Link: CVE-2018-16874

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-12-14T14:29:00.427

Modified: 2024-11-21T03:53:30.140

Link: CVE-2018-16874

cve-icon Redhat

Severity : Moderate

Publid Date: 2018-12-13T20:00:00Z

Links: CVE-2018-16874 - Bugzilla

cve-icon OpenCVE Enrichment

No data.