CVE-2018-7187: OS Command Injection
First published: Fri Feb 16 2018(Updated: )
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/golang | ||
| debian/golang-1.10 | ||
| debian/golang-1.7 | ||
| Golang Go | <1.9.5 | |
| Golang Go | >=1.10<1.10.1 | |
| Debian Debian Linux | =7.0 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/golang/go/issues/23867
- https://github.com/golang/go/commit/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc
- https://security-tracker.debian.org/tracker/CVE-2018-7187
- https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc
- https://lists.debian.org/debian-lts-announce/2018/02/msg00029.html
- https://security.gentoo.org/glsa/201804-12
- https://www.debian.org/security/2019/dsa-4379
- https://www.debian.org/security/2019/dsa-4380
- collector/security-tracker-debian
- collector/nvd-index
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/golang
- canonical/golang go
- version/golang go/1.10
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- version/debian debian linux/9.0