CVE-2018-7187

描述

The "go get" command is vulnerable to remote code execution. When the -insecure command-line option is used, "go get" does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.

受影響套件(3)

• Debian/golangfrom 0, < 2:1.0.2-1.1+deb7u3
• Debian/golang-1.7from 0, < 1.7.4-2+deb9u1
• Go/toolchainfrom 0, < 1.9.5, >= 1.10.0-0, < 1.10.1

參考連結(4)

• PATCHhttps://go.dev/cl/94603
• PATCHhttps://go.googlesource.com/go/+/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc
• REPORThttps://go.dev/issue/23867
• WEBhttps://groups.google.com/g/golang-announce/c/IkPkOF8JqLs/m/TFBbWHJYAwAJ