CVE-2018-16874

EPSS 5.7%

Directory traversal via "go get" command in cmd/go

Published: 8/2/2022Modified: 5/20/2024

Description

The "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly brace (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.

Affected packages (1)

Go/toolchainfrom 0, < 1.10.6, >= 1.11.0-0, < 1.11.3

References (4)

PATCHhttps://go.dev/cl/154101
PATCHhttps://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3
REPORThttps://go.dev/issue/29230
WEBhttps://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0