Vulnerability Details : CVE-2018-16874
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
Vulnerability category: Directory traversalInput validation
Products affected by CVE-2018-16874
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-16874
2.74%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-16874
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
6.8
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
1.6
|
5.2
|
Red Hat, Inc. | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2018-16874
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: secalert@redhat.com (Primary)
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Secondary)
References for CVE-2018-16874
-
http://www.securityfocus.com/bid/106228
Golang Go CVE-2018-16874 Directory Traversal VulnerabilityThird Party Advisory;VDB Entry
-
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
[SECURITY] [DLA 2592-1] golang-1.8 security updateMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
[security-announce] openSUSE-SU-2019:1079-1: important: Security updateMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html
[security-announce] openSUSE-SU-2020:0554-1: important: Security updateMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/201812-09
Go: Multiple vulnerabilities (GLSA 201812-09) — Gentoo securityMitigation;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
[security-announce] openSUSE-SU-2019:1444-1: important: Security updateMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
[SECURITY] [DLA 2591-1] golang-1.7 security updateMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html
[security-announce] openSUSE-SU-2019:1703-1: moderate: Security update fMailing List;Third Party Advisory
-
https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0
[security] Go 1.11.3 and Go 1.10.6 are released - Google GroepenThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
[security-announce] openSUSE-SU-2019:1506-1: important: Security updateMailing List;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16874
1657564 – (CVE-2018-16874) CVE-2018-16874 golang: "go get" vulnerable to directory traversal via malicious packageIssue Tracking;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
[security-announce] openSUSE-SU-2019:1499-1: important: Security updateMailing List;Third Party Advisory
Jump to