Vulnerability identifier: #VU16545

Vulnerability risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-16873

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Go programming language
Universal components / Libraries / Scripting languages

Vendor: Google

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists in the go get command due to import path of a malicious Go package, or a package that imports it directly or indirectly. A remote unauthenticated attacker can use a vanity import path that ends with "/.git", use custom domains to arrange things so that a Git repository is cloned to a folder named ".git", trick the victim into considering the parent directory as a repository root, and run Git commands on it that will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, and execute arbitrary code on the system running "go get -u".

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
The vulnerability has been fixed in the version 1.10.6, 1.11.3.

Vulnerable software versions

Go programming language: 1.11 - 1.11beta3, 1.10 - 1.10.5, 1.9 - 1.9.7, 1.8 - 1.8.7, 1.7 - 1.7.6, 1.6 - 1.6.4, 1.5 - 1.5.4, 1.4 - 1.4.3, 1.3 - 1.3.3, 1.2 - 1.2.2, 1.1.0 - 1.1.2, 1.0 - 1.0.3

---

External links
http://github.com/golang/go/issues/29230

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.