CVE-2018-16874

描述

The "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly brace (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.

受影響套件(1)

• Go/toolchainfrom 0, < 1.10.6, >= 1.11.0-0, < 1.11.3

參考連結(4)

• PATCHhttps://go.dev/cl/154101
• PATCHhttps://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3
• REPORThttps://go.dev/issue/29230
• WEBhttps://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0