CVE-2018-16873

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u".
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
Affected Products (NVD)
VendorProductVersion
golanggo
𝑥
< 1.10.6
golanggo
1.11.0 ≤
𝑥
< 1.11.3
opensusebackports_sle
15.0
opensuseleap
15.0
opensuseleap
15.1
opensuseleap
42.3
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang
bionic
dne
cosmic
dne
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.10
bionic
needed
cosmic
ignored
disco
ignored
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
needed
xenial
needs-triage
golang-1.11
bionic
dne
cosmic
dne
disco
not-affected
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.6
bionic
dne
cosmic
dne
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
needs-triage
golang-1.8
bionic
needs-triage
cosmic
ignored
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
golang-1.9
bionic
needs-triage
cosmic
ignored
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
containerd
suse enterprise desktop 15 SP7
1.2.5-5.13.1
fixed
suse enterprise sap 12
1.4.4-16.38.1
fixed
suse enterprise sap 12 SP3
1.4.4-16.38.1
fixed
suse enterprise sap 12 SP4
1.4.4-16.38.1
fixed
suse enterprise sap 12 SP5
1.4.4-16.38.1
fixed
suse enterprise sap 15
1.2.5-5.13.1
fixed
suse enterprise sap 15 SP1
1.2.2-5.9.1
fixed
suse enterprise sap 15 SP2
1.2.5-5.13.1
fixed
suse enterprise sap 15 SP3
1.2.5-5.13.1
fixed
suse enterprise sap 15 SP4
1.2.5-5.13.1
fixed
suse enterprise sap 15 SP5
1.2.5-5.13.1
fixed
suse enterprise sap 15 SP6
1.2.5-5.13.1
fixed
suse enterprise sap 15 SP7
1.2.5-5.13.1
fixed
suse enterprise server 12
1.4.4-16.38.1
fixed
suse enterprise server 12 SP3
1.4.4-16.38.1
fixed
suse enterprise server 12 SP4
1.4.4-16.38.1
fixed
suse enterprise server 12 SP5
1.4.4-16.38.1
fixed
suse enterprise server 15
1.2.5-5.13.1
fixed
suse enterprise server 15 SP1
1.2.2-5.9.1
fixed
suse enterprise server 15 SP2
1.2.5-5.13.1
fixed
suse enterprise server 15 SP3
1.2.5-5.13.1
fixed
suse enterprise server 15 SP4
1.2.5-5.13.1
fixed
suse enterprise server 15 SP5
1.2.5-5.13.1
fixed
suse enterprise server 15 SP6
1.2.5-5.13.1
fixed
suse enterprise server 15 SP7
1.2.5-5.13.1
fixed
containerd-ctr
suse enterprise sap 15 SP5
1.2.5-5.13.1
fixed
suse enterprise sap 15 SP6
1.2.5-5.13.1
fixed
suse enterprise sap 15 SP7
1.2.5-5.13.1
fixed
suse enterprise server 15 SP5
1.2.5-5.13.1
fixed
suse enterprise server 15 SP6
1.2.5-5.13.1
fixed
suse enterprise server 15 SP7
1.2.5-5.13.1
fixed
containerd-devel
suse enterprise sap 15 SP5
1.6.19-150000.87.1
fixed
suse enterprise sap 15 SP6
1.7.10-150000.108.1
fixed
suse enterprise sap 15 SP7
1.7.27-150000.123.1
fixed
suse enterprise server 15 SP5
1.6.19-150000.87.1
fixed
suse enterprise server 15 SP6
1.7.10-150000.108.1
fixed
suse enterprise server 15 SP7
1.7.27-150000.123.1
fixed
go
suse enterprise desktop 15 SP7
1.12-3.10.1
fixed
suse enterprise sap 15 SP7
1.12-3.10.1
fixed
suse enterprise server 15 SP7
1.12-3.10.1
fixed
go-doc
suse enterprise desktop 15 SP7
1.12-3.10.1
fixed
suse enterprise sap 15 SP7
1.12-3.10.1
fixed
suse enterprise server 15 SP7
1.12-3.10.1
fixed
go-race
suse enterprise desktop 15 SP7
1.12-3.10.1
fixed
suse enterprise sap 15 SP7
1.12-3.10.1
fixed
suse enterprise server 15 SP7
1.12-3.10.1
fixed
helm
suse enterprise sap 15 SP4
3.8.0-150000.1.3.1
fixed
suse enterprise sap 15 SP5
3.11.2-150000.1.21.1
fixed
suse enterprise sap 15 SP6
3.13.3-150000.1.32.1
fixed
suse enterprise sap 15 SP7
3.17.2-150000.1.44.1
fixed
suse enterprise server 15 SP4
3.8.0-150000.1.3.1
fixed
suse enterprise server 15 SP5
3.11.2-150000.1.21.1
fixed
suse enterprise server 15 SP6
3.13.3-150000.1.32.1
fixed
suse enterprise server 15 SP7
3.17.2-150000.1.44.1
fixed
helm-bash-completion
suse enterprise sap 15 SP4
3.8.0-150000.1.3.1
fixed
suse enterprise sap 15 SP5
3.11.2-150000.1.21.1
fixed
suse enterprise sap 15 SP6
3.13.3-150000.1.32.1
fixed
suse enterprise sap 15 SP7
3.17.2-150000.1.44.1
fixed
suse enterprise server 15 SP4
3.8.0-150000.1.3.1
fixed
suse enterprise server 15 SP5
3.11.2-150000.1.21.1
fixed
suse enterprise server 15 SP6
3.13.3-150000.1.32.1
fixed
suse enterprise server 15 SP7
3.17.2-150000.1.44.1
fixed
helm-mirror
suse enterprise sap 15
0.2.1-1.7.1
fixed
suse enterprise sap 15 SP1
0.2.1-1.7.1
fixed
suse enterprise sap 15 SP2
0.2.1-1.7.1
fixed
suse enterprise sap 15 SP3
0.2.1-1.7.1
fixed
suse enterprise sap 15 SP4
0.2.1-1.7.1
fixed
suse enterprise sap 15 SP5
0.2.1-1.7.1
fixed
suse enterprise sap 15 SP6
0.2.1-1.7.1
fixed
suse enterprise sap 15 SP7
0.2.1-1.7.1
fixed
suse enterprise server 15
0.2.1-1.7.1
fixed
suse enterprise server 15 SP1
0.2.1-1.7.1
fixed
suse enterprise server 15 SP2
0.2.1-1.7.1
fixed
suse enterprise server 15 SP3
0.2.1-1.7.1
fixed
suse enterprise server 15 SP4
0.2.1-1.7.1
fixed
suse enterprise server 15 SP5
0.2.1-1.7.1
fixed
suse enterprise server 15 SP6
0.2.1-1.7.1
fixed
suse enterprise server 15 SP7
0.2.1-1.7.1
fixed
helm-zsh-completion
suse enterprise sap 15 SP4
3.8.0-150000.1.3.1
fixed
suse enterprise sap 15 SP5
3.11.2-150000.1.21.1
fixed
suse enterprise sap 15 SP6
3.13.3-150000.1.32.1
fixed
suse enterprise sap 15 SP7
3.17.2-150000.1.44.1
fixed
suse enterprise server 15 SP4
3.8.0-150000.1.3.1
fixed
suse enterprise server 15 SP5
3.11.2-150000.1.21.1
fixed
suse enterprise server 15 SP6
3.13.3-150000.1.32.1
fixed
suse enterprise server 15 SP7
3.17.2-150000.1.44.1
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html
http://www.securityfocus.com/bid/106226
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873
https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
https://security.gentoo.org/glsa/201812-09
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html
http://www.securityfocus.com/bid/106226
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16873
https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
https://security.gentoo.org/glsa/201812-09