#VU16544 Path traversal in Go programming language - CVE-2018-16874
Published: December 14, 2018 / Updated: December 14, 2018
Vulnerability identifier: #VU16544
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-16874
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Go programming language
Go programming language
Software vendor:
Google
Description
The vulnerability allows a remote attacker to conduct a directory traversal attack on the target system.
The vulnerability exists in the go get command due to path traversal attack when the affected software executes the go get command with the import path of a Go package that contains curly braces. A remote unauthenticated attacker can execute the go get command, trick the victim into accessing a Go package that submits malicious input, conduct a directory traversal attack, which the attacker can use to execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
The vulnerability has been fixed in the version 1.10.6, 1.11.3.