CVE-2018-16873

high-risk
Published 2018-12-14

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u".

Do I need to act?

!
56.8% chance of exploitation in next 30 days
EPSS score — higher than 43% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / HIGH complexity

Affected Products (7)

Go

Affected Vendors

Debian Suse Opensuse Golang

References (24)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html
Third Party Advisory http://www.securityfocus.com/bid/106226
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873
https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0
Mailing List https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
Mailing List https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
Mitigation https://security.gentoo.org/glsa/201812-09
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html
Third Party Advisory http://www.securityfocus.com/bid/106226
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873
and 4 more references
56
/ 100
high-risk
Severity 24/34 · High
Exploitability 18/34 · Moderate
Exposure 14/34 · Moderate