{"api_version":"1","generated_at":"2026-04-23T04:10:09+00:00","cve":"CVE-2018-16873","urls":{"html":"https://cve.report/CVE-2018-16873","api":"https://cve.report/api/cve/CVE-2018-16873.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-16873","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-16873"},"summary":{"title":"CVE-2018-16873","description":"In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\".","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2018-12-14 14:29:00","updated_at":"2023-11-07 02:53:00"},"problem_types":["CWE-20"],"metrics":[],"references":[{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html","name":"openSUSE-SU-2019:1444","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:1444-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html","name":"[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2591-1] golang-1.7 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html","name":"openSUSE-SU-2020:0554","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:0554-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873","refsource":"CONFIRM","tags":["Issue Tracking","Third Party Advisory"],"title":"1657563 – (CVE-2018-16873) CVE-2018-16873 golang: \"go get\" command vulnerable to RCE via import of malicious package","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0","name":"https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0","refsource":"","tags":[],"title":"Google Groups","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html","name":"[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2592-1] golang-1.8 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0","name":"https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0","refsource":"MISC","tags":["Third Party Advisory"],"title":"Google Groups","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html","name":"openSUSE-SU-2019:1079","refsource":"SUSE","tags":["Third Party Advisory"],"title":"[security-announce] openSUSE-SU-2019:1079-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html","name":"openSUSE-SU-2019:1499","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:1499-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html","name":"openSUSE-SU-2019:1506","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:1506-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/106226","name":"106226","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Golang Go CVE-2018-16873 Remote Code Execution Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html","name":"openSUSE-SU-2019:1703","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:1703-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/201812-09","name":"GLSA-201812-09","refsource":"GENTOO","tags":["Mitigation","Third Party Advisory"],"title":"Go: Multiple vulnerabilities (GLSA 201812-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-16873","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16873","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"16873","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"16873","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"16873","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"16873","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"opensuse","cpe5":"backports_sle","cpe6":"15.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"16873","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"15.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"16873","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"15.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"16873","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"42.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"16873","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"42.3","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"16873","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"suse","cpe5":"linux_enterprise_server","cpe6":"12","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-16873","qid":"174971","title":"SUSE Enterprise Linux Security Update for containerd, docker, runc (SUSE-SU-2021:1458-1)"},{"cve":"CVE-2018-16873","qid":"296075","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 21.69.0 Missing (CPUAPR2020)"},{"cve":"CVE-2018-16873","qid":"710317","title":"Gentoo Linux Go Multiple Vulnerabilities (GLSA 201812-09)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"secalert@redhat.com","ID":"CVE-2018-16873","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"golang","version":{"version_data":[{"version_value":"1.10.6"},{"version_value":"1.11.3"}]}}]},"vendor_name":"[UNKNOWN]"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\"."}]},"impact":{"cvss":[[{"vectorString":"7.5/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.0"}]]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-20"}]}]},"references":{"reference_data":[{"name":"106226","refsource":"BID","url":"http://www.securityfocus.com/bid/106226"},{"name":"GLSA-201812-09","refsource":"GENTOO","url":"https://security.gentoo.org/glsa/201812-09"},{"name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873","refsource":"CONFIRM","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873"},{"name":"https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0","refsource":"MISC","url":"https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0"},{"refsource":"SUSE","name":"openSUSE-SU-2019:1079","url":"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"},{"refsource":"SUSE","name":"openSUSE-SU-2019:1444","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"},{"refsource":"SUSE","name":"openSUSE-SU-2019:1499","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"},{"refsource":"SUSE","name":"openSUSE-SU-2019:1506","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"},{"refsource":"SUSE","name":"openSUSE-SU-2019:1703","url":"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html"},{"refsource":"SUSE","name":"openSUSE-SU-2020:0554","url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"}]}},"nvd":{"publishedDate":"2018-12-14 14:29:00","lastModifiedDate":"2023-11-07 02:53:00","problem_types":["CWE-20"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionStartIncluding":"1.11.0","versionEndExcluding":"1.11.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionEndExcluding":"1.10.6","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"16873","Ordinal":"133684","Title":"CVE-2018-16873","CVE":"CVE-2018-16873","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"16873","Ordinal":"1","NoteData":"In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\".","Type":"Description","Title":null},{"CveYear":"2018","CveId":"16873","Ordinal":"2","NoteData":"2018-12-14","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"16873","Ordinal":"3","NoteData":"2021-03-13","Type":"Other","Title":"Modified"}]}}}