CVE-2018-6574

high-risk
Published 2018-02-07

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

Do I need to act?

!
36.8% chance of exploitation in next 30 days
EPSS score — higher than 63% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.8/10 High
LOCAL / LOW complexity

Affected Products (13)

Go
Go
Go
Go
Go
Go
Go
Go

Affected Vendors

Debian Redhat Golang

References (14)

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0878
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1304
Exploit https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574
Issue Tracking https://github.com/golang/go/issues/23672
https://groups.google.com/forum/#%21topic/golang-nuts/Gbhh1NxAjMU
https://groups.google.com/forum/#%21topic/golang-nuts/sprOaQ5m3Dk
Third Party Advisory https://www.debian.org/security/2019/dsa-4380
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0878
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1304
Exploit https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574
Issue Tracking https://github.com/golang/go/issues/23672
https://groups.google.com/forum/#%21topic/golang-nuts/Gbhh1NxAjMU
https://groups.google.com/forum/#%21topic/golang-nuts/sprOaQ5m3Dk
Third Party Advisory https://www.debian.org/security/2019/dsa-4380
57
/ 100
high-risk
Severity 24/34 · High
Exploitability 16/34 · Moderate
Exposure 17/34 · Moderate