Unrated severityNVD Advisory· Published Dec 14, 2018· Updated Aug 5, 2024

CVE-2018-16873

Description

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u".

Affected products

osv-coords73 versions
pkg:rpm/opensuse/containerd&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/containerd&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/containerd&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/cri-o&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/cri-o&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/cri-tools&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/docker&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/docker&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/docker&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/docker-runc&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/docker-runc&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/docker-stable&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/docker-stable&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/etcd&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/etcd&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/etcd&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/flannel&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/go1.10&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/go1.11&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/go1.11&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/go1.11&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/go1.12&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/go1.12&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/go1.12&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/go1.14&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/go&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/go&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/go&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/golang-github-docker-libnetwork&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/golang-github-docker-libnetwork&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/helm3&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/helm&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/helm-mirror&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/kubernetes&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/runc&distro=openSUSE%20Tumbleweed pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012 pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015 pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP1 pkg:rpm/suse/containerd&distro=SUSE%20OpenStack%20Cloud%206-LTSS pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012 pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015 pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP1 pkg:rpm/suse/docker&distro=SUSE%20OpenStack%20Cloud%206-LTSS pkg:rpm/suse/docker-runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012 pkg:rpm/suse/docker-runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015 pkg:rpm/suse/docker-runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP1 pkg:rpm/suse/docker-runc&distro=SUSE%20OpenStack%20Cloud%206-LTSS pkg:rpm/suse/docker-stable&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOS pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSS pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP6 pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP7 pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSS pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSS pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4 pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5 pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5 pkg:rpm/suse/go&distro=SUSE%20Package%20Hub%2015 pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012 pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015 pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP1 pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20OpenStack%20Cloud%206-LTSS pkg:rpm/suse/helm&distro=SUSE%20Package%20Hub%2012%20SP3 pkg:rpm/suse/helm-mirror&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015 pkg:rpm/suse/helm-mirror&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP1 pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012 pkg:rpm/suse/runc&distro=SUSE%20Package%20Hub%2015
< 1.2.5-lp150.4.14.3+ 72 more
- (no CPE)range: < 1.2.5-lp150.4.14.3
- (no CPE)range: < 1.2.5-lp151.2.3.1
- (no CPE)range: < 1.4.8-2.2
- (no CPE)range: < 1.17.1-lp151.2.2
- (no CPE)range: < 1.22.0-1.2
- (no CPE)range: < 1.18.0-lp151.2.1
- (no CPE)range: < 18.09.6_ce-lp150.5.17.2
- (no CPE)range: < 18.09.6_ce-lp151.2.3.1
- (no CPE)range: < 20.10.6_ce-2.1
- (no CPE)range: < 1.0.0rc6+gitr3804_2b18fe1d885e-lp150.5.21.2
- (no CPE)range: < 1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-15.1
- (no CPE)range: < 3.5.12-150000.7.6.1
- (no CPE)range: < 3.5.12-150000.7.6.1
- (no CPE)range: < 3.4.16-3.1
- (no CPE)range: < 0.14.0-1.2
- (no CPE)range: < 1.10.8-8.2
- (no CPE)range: < 1.11.9-lp150.9.3
- (no CPE)range: < 1.11.9-lp151.2.3.1
- (no CPE)range: < 1.11.13-10.5
- (no CPE)range: < 1.12.4-lp150.2.2
- (no CPE)range: < 1.12.4-lp151.2.3.1
- (no CPE)range: < 1.12.17-4.8
- (no CPE)range: < 1.14-lp151.6.1
- (no CPE)range: < 1.12-lp150.2.11.1
- (no CPE)range: < 1.12-lp151.2.3.1
- (no CPE)range: < 1.17-1.1
- (no CPE)range: < 0.7.0.1+gitr2726_872f0a83c98a-lp150.3.14.1
- (no CPE)range: < 0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1
- (no CPE)range: < 3.19.2-1.1
- (no CPE)range: < 3.6.3-1.1
- (no CPE)range: < 0.3.1-1.9
- (no CPE)range: < 1.18.0-lp151.5.1
- (no CPE)range: < 1.0.2-1.2
- (no CPE)range: < 1.2.2-16.14.2
- (no CPE)range: < 1.1.2-5.3.4
- (no CPE)range: < 1.2.5-5.13.1
- (no CPE)range: < 1.2.2-16.14.2
- (no CPE)range: < 18.09.1_ce-98.34.2
- (no CPE)range: < 18.06.1_ce-6.8.2
- (no CPE)range: < 18.09.6_ce-6.17.1
- (no CPE)range: < 18.09.1_ce-98.34.2
- (no CPE)range: < 1.0.0rc6+gitr3748_96ec2177ae84-1.17.2
- (no CPE)range: < 1.0.0rc5+gitr3562_69663f0bd4b6-6.3.4
- (no CPE)range: < 1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1
- (no CPE)range: < 1.0.0rc6+gitr3748_96ec2177ae84-1.17.2
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-1.20.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-1.20.1
- (no CPE)range: < 1.12-bp150.2.6.1
- (no CPE)range: < 0.7.0.1+gitr2711_2cfbf9b1f981-16.2
- (no CPE)range: < 0.7.0.1+gitr2664_3ac297bc7fd0-4.3.5
- (no CPE)range: < 0.7.0.1+gitr2726_872f0a83c98a-4.12.1
- (no CPE)range: < 0.7.0.1+gitr2711_2cfbf9b1f981-16.2
- (no CPE)range: < 2.13.1-5.1
- (no CPE)range: < 0.2.1-1.7.1
- (no CPE)range: < 0.2.1-1.7.1
- (no CPE)range: < 1.0.0~rc93-16.8.1
- (no CPE)range: < 1.0.0~rc6-bp150.2.3.1
Go Programming Language/Golangv5
Range: 1.10.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.htmlmitrevendor-advisoryx_refsource_SUSE
lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.htmlmitrevendor-advisoryx_refsource_SUSE
lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.htmlmitrevendor-advisoryx_refsource_SUSE
lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.htmlmitrevendor-advisoryx_refsource_SUSE
lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.htmlmitrevendor-advisoryx_refsource_SUSE
lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.htmlmitrevendor-advisoryx_refsource_SUSE
security.gentoo.org/glsa/201812-09mitrevendor-advisoryx_refsource_GENTOO
www.securityfocus.com/bid/106226mitrevdb-entryx_refsource_BID
bugzilla.redhat.com/show_bug.cgimitrex_refsource_CONFIRM
groups.google.com/forum/mitrex_refsource_MISC
lists.debian.org/debian-lts-announce/2021/03/msg00014.htmlmitremailing-listx_refsource_MLIST
lists.debian.org/debian-lts-announce/2021/03/msg00015.htmlmitremailing-listx_refsource_MLIST

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.045
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000