High severity8.8NVD Advisory· Published Feb 16, 2018· Updated Jun 17, 2026
CVE-2018-7187
CVE-2018-7187
Description
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9- osv-coords9 versionspkg:rpm/opensuse/go1.9&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/go&distro=openSUSE%20Tumbleweedpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015pkg:rpm/suse/docker-runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015pkg:rpm/suse/go1.10&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/go&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/golang-github-docker-libnetwork&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015pkg:rpm/suse/golang-packaging&distro=SUSE%20Package%20Hub%2015
< 1.9.7-11.2+ 8 more
- (no CPE)range: < 1.9.7-11.2
- (no CPE)range: < 1.17-1.1
- (no CPE)range: < 1.1.2-5.3.4
- (no CPE)range: < 18.06.1_ce-6.8.2
- (no CPE)range: < 1.0.0rc5+gitr3562_69663f0bd4b6-6.3.4
- (no CPE)range: < 1.10.7-bp150.2.1
- (no CPE)range: < 1.10.4-bp150.2.3.1
- (no CPE)range: < 0.7.0.1+gitr2664_3ac297bc7fd0-4.3.5
- (no CPE)range: < 15.0.11-bp150.3.3.1
Patches
Vulnerability mechanics
References
6- github.com/golang/go/issues/23867nvdExploitIssue TrackingThird Party Advisory
- gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffcnvdThird Party Advisory
- lists.debian.org/debian-lts-announce/2018/02/msg00029.htmlnvdMailing ListThird Party Advisory
- security.gentoo.org/glsa/201804-12nvdThird Party Advisory
- www.debian.org/security/2019/dsa-4379nvdThird Party Advisory
- www.debian.org/security/2019/dsa-4380nvdThird Party Advisory
News mentions
0No linked articles in our index yet.