CVE-2018-6574
EUVD-2018-1832407.02.2018, 21:29
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| golang | go | 𝑥 ≤ 1.8.6 |
| golang | go | 1.9 |
| golang | go | 1.9.1 |
| golang | go | 1.9.2 |
| golang | go | 1.9.3 |
| golang | go | 1.10:beta1 |
| golang | go | 1.10:beta2 |
| golang | go | 1.10:rc1 |
| debian | debian_linux | 9.0 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_server_aus | 7.6 |
| redhat | enterprise_linux_server_eus | 7.6 |
| redhat | enterprise_linux_server_tus | 7.6 |
𝑥
= Vulnerable software versions
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| golang |
| ||||||||||||||||||||||||||||||||
| golang-1.6 |
| ||||||||||||||||||||||||||||||||
| golang-1.7 |
| ||||||||||||||||||||||||||||||||
| golang-1.8 |
| ||||||||||||||||||||||||||||||||
| golang-1.9 |
|
References