Vulnerability identifier: #VU16545
Vulnerability risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-77
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Go programming language
Universal components / Libraries /
Scripting languages
Vendor: Google
Description
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists in the go get command due to import path of a malicious Go package, or a package that imports it directly or indirectly. A remote unauthenticated attacker can use a vanity import path that ends with "/.git", use custom domains to arrange things so that a Git repository is cloned to a folder named ".git", trick the victim into considering the parent directory as a repository root, and run Git commands on it that will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, and execute arbitrary code on the system running "go get -u".
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Mitigation
The vulnerability has been fixed in the version 1.10.6, 1.11.3.
Vulnerable software versions
Go programming language: 1.11 - 1.11beta3, 1.10 - 1.10.5, 1.9 - 1.9.7, 1.8 - 1.8.7, 1.7 - 1.7.6, 1.6 - 1.6.4, 1.5 - 1.5.4, 1.4 - 1.4.3, 1.3 - 1.3.3, 1.2 - 1.2.2, 1.1.0 - 1.1.2, 1.0 - 1.0.3
External links
http://github.com/golang/go/issues/29230
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.