Unrated severityNVD Advisory· Published Dec 14, 2018· Updated Aug 5, 2024
CVE-2018-16874
CVE-2018-16874
Description
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
Affected products
74- osv-coords73 versionspkg:rpm/opensuse/containerd&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/containerd&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/containerd&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cri-o&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/cri-o&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/cri-tools&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/docker&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/docker&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/docker&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/docker-runc&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/docker-runc&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/docker-stable&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/docker-stable&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/etcd&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/etcd&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/etcd&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/flannel&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go1.10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go1.11&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/go1.11&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/go1.11&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go1.12&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/go1.12&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/go1.12&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go1.14&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/go&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/go&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/go&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/golang-github-docker-libnetwork&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/golang-github-docker-libnetwork&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/helm3&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/helm&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/helm-mirror&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/kubernetes&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/runc&distro=openSUSE%20Tumbleweedpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP1pkg:rpm/suse/containerd&distro=SUSE%20OpenStack%20Cloud%206-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP1pkg:rpm/suse/docker&distro=SUSE%20OpenStack%20Cloud%206-LTSSpkg:rpm/suse/docker-runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/docker-runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015pkg:rpm/suse/docker-runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP1pkg:rpm/suse/docker-runc&distro=SUSE%20OpenStack%20Cloud%206-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP6pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP7pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/docker-stable&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/go&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP1pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20OpenStack%20Cloud%206-LTSSpkg:rpm/suse/helm&distro=SUSE%20Package%20Hub%2012%20SP3pkg:rpm/suse/helm-mirror&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015pkg:rpm/suse/helm-mirror&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP1pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/runc&distro=SUSE%20Package%20Hub%2015
< 1.2.5-lp150.4.14.3+ 72 more
- (no CPE)range: < 1.2.5-lp150.4.14.3
- (no CPE)range: < 1.2.5-lp151.2.3.1
- (no CPE)range: < 1.4.8-2.2
- (no CPE)range: < 1.17.1-lp151.2.2
- (no CPE)range: < 1.22.0-1.2
- (no CPE)range: < 1.18.0-lp151.2.1
- (no CPE)range: < 18.09.6_ce-lp150.5.17.2
- (no CPE)range: < 18.09.6_ce-lp151.2.3.1
- (no CPE)range: < 20.10.6_ce-2.1
- (no CPE)range: < 1.0.0rc6+gitr3804_2b18fe1d885e-lp150.5.21.2
- (no CPE)range: < 1.0.0rc6+gitr3804_2b18fe1d885e-lp151.3.3.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-15.1
- (no CPE)range: < 3.5.12-150000.7.6.1
- (no CPE)range: < 3.5.12-150000.7.6.1
- (no CPE)range: < 3.4.16-3.1
- (no CPE)range: < 0.14.0-1.2
- (no CPE)range: < 1.10.8-8.2
- (no CPE)range: < 1.11.9-lp150.9.3
- (no CPE)range: < 1.11.9-lp151.2.3.1
- (no CPE)range: < 1.11.13-10.5
- (no CPE)range: < 1.12.4-lp150.2.2
- (no CPE)range: < 1.12.4-lp151.2.3.1
- (no CPE)range: < 1.12.17-4.8
- (no CPE)range: < 1.14-lp151.6.1
- (no CPE)range: < 1.12-lp150.2.11.1
- (no CPE)range: < 1.12-lp151.2.3.1
- (no CPE)range: < 1.17-1.1
- (no CPE)range: < 0.7.0.1+gitr2726_872f0a83c98a-lp150.3.14.1
- (no CPE)range: < 0.7.0.1+gitr2726_872f0a83c98a-lp151.2.3.1
- (no CPE)range: < 3.19.2-1.1
- (no CPE)range: < 3.6.3-1.1
- (no CPE)range: < 0.3.1-1.9
- (no CPE)range: < 1.18.0-lp151.5.1
- (no CPE)range: < 1.0.2-1.2
- (no CPE)range: < 1.2.2-16.14.2
- (no CPE)range: < 1.1.2-5.3.4
- (no CPE)range: < 1.2.5-5.13.1
- (no CPE)range: < 1.2.2-16.14.2
- (no CPE)range: < 18.09.1_ce-98.34.2
- (no CPE)range: < 18.06.1_ce-6.8.2
- (no CPE)range: < 18.09.6_ce-6.17.1
- (no CPE)range: < 18.09.1_ce-98.34.2
- (no CPE)range: < 1.0.0rc6+gitr3748_96ec2177ae84-1.17.2
- (no CPE)range: < 1.0.0rc5+gitr3562_69663f0bd4b6-6.3.4
- (no CPE)range: < 1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1
- (no CPE)range: < 1.0.0rc6+gitr3748_96ec2177ae84-1.17.2
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-1.20.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-150000.1.25.1
- (no CPE)range: < 24.0.9_ce-1.20.1
- (no CPE)range: < 1.12-bp150.2.6.1
- (no CPE)range: < 0.7.0.1+gitr2711_2cfbf9b1f981-16.2
- (no CPE)range: < 0.7.0.1+gitr2664_3ac297bc7fd0-4.3.5
- (no CPE)range: < 0.7.0.1+gitr2726_872f0a83c98a-4.12.1
- (no CPE)range: < 0.7.0.1+gitr2711_2cfbf9b1f981-16.2
- (no CPE)range: < 2.13.1-5.1
- (no CPE)range: < 0.2.1-1.7.1
- (no CPE)range: < 0.2.1-1.7.1
- (no CPE)range: < 1.0.0~rc93-16.8.1
- (no CPE)range: < 1.0.0~rc6-bp150.2.3.1
- Range: 1.10.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.htmlmitrevendor-advisoryx_refsource_SUSE
- security.gentoo.org/glsa/201812-09mitrevendor-advisoryx_refsource_GENTOO
- www.securityfocus.com/bid/106228mitrevdb-entryx_refsource_BID
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_CONFIRM
- groups.google.com/forum/mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2021/03/msg00014.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2021/03/msg00015.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.