Fluid Attacks Database

Description

Remote command execution via "go get" command with "-insecure" option in cmd/go The "go get" command is vulnerable to remote code execution.

When the -insecure command-line option is used, "go get" does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	toolchain	>=0 <1.9.5	1.9.5
rpm rhel7	golang	-	-

Aliases

1. CVE-2018-71872. NVD-2018-71873. OSV-GO-2022-02034. OSV-2018-71875. GCVE-2018-7187

References

1. https://go.dev/cl/946032. https://go.googlesource.com/go/+/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc3. https://go.dev/issue/238674. https://groups.google.com/g/golang-announce/c/IkPkOF8JqLs/m/TFBbWHJYAwAJ

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.