CVE-2018-7187

EPSS 7.6%

golang-1.7 - security update

Published: 8/9/2022Modified: 3/9/2026

Description

The "go get" command is vulnerable to remote code execution. When the -insecure command-line option is used, "go get" does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.

Affected packages (3)

Debian/golangfrom 0, < 2:1.0.2-1.1+deb7u3
Debian/golang-1.7from 0, < 1.7.4-2+deb9u1
Go/toolchainfrom 0, < 1.9.5, >= 1.10.0-0, < 1.10.1

References (4)

PATCHhttps://go.dev/cl/94603
PATCHhttps://go.googlesource.com/go/+/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc
REPORThttps://go.dev/issue/23867
WEBhttps://groups.google.com/g/golang-announce/c/IkPkOF8JqLs/m/TFBbWHJYAwAJ