Multiple vulnerabilities in Go
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2018-16874 CVE-2018-16873 CVE-2018-16875 |
| CWE-ID | CWE-22 CWE-77 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Go programming language Universal components / Libraries / Scripting languages |
| Vendor |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Path traversal
EUVDB-ID: #VU16544
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-16874
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct a directory traversal attack on the target system.
The vulnerability exists in the go get command due to path traversal attack when the affected software executes the go get command with the import path of a Go package that contains curly braces. A remote unauthenticated attacker can execute the go get command, trick the victim into accessing a Go package that submits malicious input, conduct a directory traversal attack, which the attacker can use to execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationThe vulnerability has been fixed in the version 1.10.6, 1.11.3.
Vulnerable software versionsGo programming language: 1.0 - 1.11.2
CPE2.3- cpe:2.3:a:google:golang:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.9.7:*:*:*:*:*:*:*
https://github.com/golang/go/issues/29231
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Command injection
EUVDB-ID: #VU16545
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-16873
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists in the go get command due to import path of a malicious Go package, or a package that imports it directly or indirectly. A remote unauthenticated attacker can use a vanity import path that ends with "/.git", use custom domains to arrange things so that a Git repository is cloned to a folder named ".git", trick the victim into considering the parent directory as a repository root, and run Git commands on it that will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, and execute arbitrary code on the system running "go get -u".
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationThe vulnerability has been fixed in the version 1.10.6, 1.11.3.
Vulnerable software versionsGo programming language: 1.0 - 1.11.2
CPE2.3- cpe:2.3:a:google:golang:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.9.7:*:*:*:*:*:*:*
https://github.com/golang/go/issues/29230
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU16546
Risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-16875
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists on Go TLS servers accepting client certificates and TLS clients due to the crypto/x509 package does not limit the amount of work performed for each chain verification. A remote unauthenticated attacker can craft pathological inputs leading to a CPU denial of service.
MitigationThe vulnerability has been fixed in the version 1.10.6, 1.11.3.
Vulnerable software versionsGo programming language: 1.0 - 1.11.2
CPE2.3- cpe:2.3:a:google:golang:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:google:golang:1.9.7:*:*:*:*:*:*:*
https://github.com/golang/go/issues/29233
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
