Vulnerability Details : CVE-2017-15041
Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."
Products affected by CVE-2017-15041
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_tus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_tus:7.7:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:developer_tools:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:1.9:-:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-15041
5.53%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-15041
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
References for CVE-2017-15041
-
https://access.redhat.com/errata/RHSA-2018:0878
RHSA-2018:0878 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
[SECURITY] [DLA 2592-1] golang-1.8 security updateMailing List;Third Party Advisory
-
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
[security] Go 1.8.4 and Go 1.9.1 are released - Google GroepenMailing List;Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
[SECURITY] [DLA 2591-1] golang-1.7 security updateMailing List;Third Party Advisory
-
https://golang.org/cl/68190
Issue Tracking;Patch;Vendor Advisory
-
https://security.gentoo.org/glsa/201710-23
Go: Multiple vulnerabilities (GLSA 201710-23) — Gentoo securityThird Party Advisory
-
https://github.com/golang/go/issues/22125
cmd/go: arbitrary code execution during “go get” or “go get -d” [Go 1.8] · Issue #22125 · golang/go · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://golang.org/cl/68022
Issue Tracking;Patch;Vendor Advisory
-
http://www.securityfocus.com/bid/101196
Golang Go CVE-2017-15041 Remote Code Execution VulnerabilityThird Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2017:3463
RHSA-2017:3463 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to