Vulnerability Report: GO-2022-0190

CVE-2018-16874
Affects: cmd/go/internal/get
Published: Aug 02, 2022
Modified: Jun 12, 2023

The "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly brace (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.

Affected Packages

Path

Versions

Symbols
cmd/go/internal/get

before go1.10.6, from go1.11.0-0 before go1.11.3

all symbols

Aliases

CVE-2018-16874

References

https://go.dev/cl/154101
https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3
https://go.dev/issue/29230
https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0
https://vuln.go.dev/ID/GO-2022-0190.json

Credits

ztz of Tencent Security Platform

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL