CVSS: 8.1EPSS: 1%CPEs: 8EXPL: 0CVE-2018-16874
https://notcve.org/view.php?id=CVE-2018-16874
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution. En Go en versiones anteriores a la 1.10.6 y versiones 1.11.x anteriores a la 1.11.3, el comando "go get" es vulnerable a un salto de directorio cuando se ejecuta con la ruta de importación de un paquete Go malicioso que contiene llaves (ambos caracteres "{" y "}"). Específicamente, solo es vulnerable en modo GOPATH, pero no en modo módulo (la diferencia está documentada en https://golang.org/cmd/go/#hdr-Module_aware_go_get). • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html http://www.securityfocus.com/bid/106228 https://bugzilla&# • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2018-16875
https://notcve.org/view.php?id=CVE-2018-16875
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected. El paquete crypto/x509 de Go, en versiones anteriores a la 1.10.6 y versiones 1.11.x anteriores a la 1.11.3,no limita la cantidad de trabajo realizado para cada verificación de cadenas, lo que podría permitir que los atacantes manipulen entradas patológicas que conducen a la denegación de servicio (DoS) de la CPU. Los servidores TLS de Go que aceptan certificados de clientes y clientes TLS se han visto afectados. • http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html http://www.securityfocus.com/bid/106230 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16875 https://groups.google.com&#x • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •
CVSS: 9.3EPSS: 30%CPEs: 4EXPL: 1CVE-2018-7187
https://notcve.org/view.php?id=CVE-2018-7187
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. La implementación "go get" en Go 1.9.4, cuando se emplea la opción -insecure command-line, no valida la ruta de importación (get/vcs.go solo busca "://" en cualquier lugar de la cadena), lo que permite que atacantes remotos ejecuten comandos arbitrarios del sistema operativo mediante un sitio web manipulado. • https://gist.github.com/SLAYEROWNER/b2a358f13ab267f2e9543bb9f9320ffc https://github.com/golang/go/issues/23867 https://lists.debian.org/debian-lts-announce/2018/02/msg00029.html https://security.gentoo.org/glsa/201804-12 https://www.debian.org/security/2019/dsa-4379 https://www.debian.org/security/2019/dsa-4380 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 2%CPEs: 13EXPL: 28CVE-2018-6574 – golang: arbitrary code execution during "go get" via C compiler options
https://notcve.org/view.php?id=CVE-2018-6574
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. Go, en versiones anteriores a la 1.8.7; Go en versiones 1.9.x anteriores a la 1.9.4 y los prelanzamientos de Go 1.10 anteriores a Go 1.10rc2 permiten la ejecución remota de comandos "go get" durante la construcción del código fuente aprovechando la característica del plugin gcc o clang debido a que los argumentos -fplugin= y -plugin= no se bloquearon. An arbitrary command execution flaw was found in the way Go's "go get" command handled gcc and clang sensitive options during the build. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side. • https://github.com/neargle/Go-Get-RCE-CVE-2018-6574-POC https://github.com/qweraqq/CVE-2018-6574 https://github.com/frozenkp/CVE-2018-6574 https://github.com/darthvader-htb/CVE-2018-6574 https://github.com/antunesmpedro/CVE-2018-6574 https://github.com/asavior2/CVE-2018-6574 https://github.com/Dannners/CVE-2018-6574-go-get-RCE https://github.com/jftierno/-CVE-2018-6574 https://github.com/ItsFadinG/CVE-2018-6574 https://github.com/OLAOLAOLA789/CVE-2018-6574 htt • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 1%CPEs: 16EXPL: 0CVE-2015-5739 – golang: HTTP request smuggling in net/http library
https://notcve.org/view.php?id=CVE-2015-5739
The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead of a hyphen, as demonstrated by "Content Length" instead of "Content-Length." La biblioteca net/http en net/textproto/reader.go en Go en versiones anteriores a la 1.4.3 no analiza sintácticamente claves de cabecera HTTP correctamente, lo que permite que atacantes remotos lleven a cabo ataques de contrabando de peticiones HTTP mediante un espacio en lugar de un guión, tal y como se muestra en "Content Length", en lugar de "Content-Length". HTTP-request vulnerabilities have been found in the Golang net/http and net/textproto libraries. Request headers with double Content-Length fields do not generate a 400 error (the second field is ignored), and invalid fields are parsed as valid (for example, "Content Length:" with a space in the middle is accepted). A non-authenticated attacker could exploit these flaws to bypass security controls, perform web-cache poisoning, or alter the request/response map (denial of service). • http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167997.html http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168029.html http://rhn.redhat.com/errata/RHSA-2016-1538.html http://seclists.org/oss-sec/2015/q3/237 http://seclists.org/oss-sec/2015/q3/292 http://seclists.org/oss-sec/2015/q3/294 http://www.securityfocus.com/bid/76281 https://bugzilla.redhat.com/show_bug.cgi?id=1250352 https://github.com/golang/go/commit/117ddcb83d7f42d • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •