CVE-2018-16873

Summary

CVE	CVE-2018-16873
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-12-14 14:29:00 UTC
Updated	2023-11-07 02:53:00 UTC
Description	In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u".

Risk And Classification

Problem Types: CWE-20

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Golang	Go	All	All	All	All
Application	Golang	Go	All	All	All	All
Application	Opensuse	Backports Sle	15.0	-	All	All
Operating System	Opensuse	Leap	15.0	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Operating System	Opensuse	Leap	42.3	All	All	All
Operating System	Opensuse	Leap	42.3	All	All	All
Operating System	Suse	Linux Enterprise Server	12	-	All	All

References

Reference	Source	Link	Tags
[security-announce] openSUSE-SU-2019:1444-1: important: Security update	SUSE	lists.opensuse.org
[SECURITY] [DLA 2591-1] golang-1.7 security update	MLIST	lists.debian.org
[security-announce] openSUSE-SU-2020:0554-1: important: Security update	SUSE	lists.opensuse.org
1657563 – (CVE-2018-16873) CVE-2018-16873 golang: "go get" command vulnerable to RCE via import of malicious package	CONFIRM	bugzilla.redhat.com	Issue Tracking, Third Party Advisory
Google Groups		groups.google.com
[SECURITY] [DLA 2592-1] golang-1.8 security update	MLIST	lists.debian.org
Google Groups	MISC	groups.google.com	Third Party Advisory
[security-announce] openSUSE-SU-2019:1079-1: important: Security update	SUSE	lists.opensuse.org	Third Party Advisory
[security-announce] openSUSE-SU-2019:1499-1: important: Security update	SUSE	lists.opensuse.org
[security-announce] openSUSE-SU-2019:1506-1: important: Security update	SUSE	lists.opensuse.org
Golang Go CVE-2018-16873 Remote Code Execution Vulnerability	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
[security-announce] openSUSE-SU-2019:1703-1: moderate: Security update f	SUSE	lists.opensuse.org
Go: Multiple vulnerabilities (GLSA 201812-09) — Gentoo security	GENTOO	security.gentoo.org	Mitigation, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

174971 SUSE Enterprise Linux Security Update for containerd, docker, runc (SUSE-SU-2021:1458-1)
296075 Oracle Solaris 11.4 Support Repository Update (SRU) 21.69.0 Missing (CPUAPR2020)
710317 Gentoo Linux Go Multiple Vulnerabilities (GLSA 201812-09)