Vulnerability Report: GO-2022-0190
standard library- CVE-2018-16874
- Affects: cmd/go/internal/get
- Published: Aug 02, 2022
- Modified: May 20, 2024
The "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly brace (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
Affected Packages
-
PathGo VersionsSymbols
-
before go1.10.6, from go1.11.0-0 before go1.11.3
1 unexported affected symbols
- downloadPackage
Aliases
References
- https://go.dev/cl/154101
- https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3
- https://go.dev/issue/29230
- https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0
- https://vuln.go.dev/ID/GO-2022-0190.json
Credits
- ztz of Tencent Security Platform
Feedback
See anything missing or incorrect?
Suggest an edit to this report.