Vulnerability Details : CVE-2018-16873
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u".
Vulnerability category: Input validationExecute code
Products affected by CVE-2018-16873
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-16873
28.79%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-16873
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
Red Hat, Inc. | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2018-16873
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)
References for CVE-2018-16873
-
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
[SECURITY] [DLA 2592-1] golang-1.8 security updateMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
[security-announce] openSUSE-SU-2019:1079-1: important: Security updateMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html
[security-announce] openSUSE-SU-2020:0554-1: important: Security updateMailing List;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873
1657563 – (CVE-2018-16873) CVE-2018-16873 golang: "go get" command vulnerable to RCE via import of malicious packageIssue Tracking;Third Party Advisory
-
https://security.gentoo.org/glsa/201812-09
Go: Multiple vulnerabilities (GLSA 201812-09) — Gentoo securityMitigation;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
[security-announce] openSUSE-SU-2019:1444-1: important: Security updateMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
[SECURITY] [DLA 2591-1] golang-1.7 security updateMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html
[security-announce] openSUSE-SU-2019:1703-1: moderate: Security update fMailing List;Third Party Advisory
-
http://www.securityfocus.com/bid/106226
Golang Go CVE-2018-16873 Remote Code Execution VulnerabilityThird Party Advisory;VDB Entry
-
https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0
[security] Go 1.11.3 and Go 1.10.6 are released - Google GroepenThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
[security-announce] openSUSE-SU-2019:1506-1: important: Security updateMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
[security-announce] openSUSE-SU-2019:1499-1: important: Security updateMailing List;Third Party Advisory
Jump to