Vulnerability Report: GO-2022-0203

CVE-2018-7187
Affects: cmd/go
Published: Aug 09, 2022
Modified: Jun 12, 2023

The "go get" command is vulnerable to remote code execution. When the -insecure command-line option is used, "go get" does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.

Affected Packages

Path

Versions

Symbols
cmd/go

before go1.9.5, from go1.10.0-0 before go1.10.1

all symbols

Aliases

CVE-2018-7187

References

https://go.dev/cl/94603
https://go.googlesource.com/go/+/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc
https://go.dev/issue/23867
https://groups.google.com/g/golang-announce/c/IkPkOF8JqLs/m/TFBbWHJYAwAJ
https://vuln.go.dev/ID/GO-2022-0203.json

Credits

Arthur Khashaev

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL