CVE-2018-16874 MEDIUM

CVE-2018-16874

Vendor [Unknown]

Product golang

Weakness CWE-20 · Input validation

Published December 14, 2018

Last update August 5, 2024

View on NVD All CVEs

CVSS base score

6.8/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.

Key dates

02Disclosure timeline

December 14, 2018 CVE published

August 5, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2018-16874

Related vulnerabilities

Identifiers

CVE CVE-2018-16874

CWE CWE-20

CVSS 6.8 / MEDIUM

Affected versions

Vendor [Unknown]

Product golang

Affected 1.10.6

Vendor [Unknown]

Product golang

Affected 1.11.3

CVE-2018-16874

01Description

02Disclosure timeline

03References

04Related CVE