2018-09-11 13:06:17 -04:00
{
2019-03-18 03:41:10 +00:00
"CVE_data_meta" : {
"ASSIGNER" : "secalert@redhat.com" ,
"ID" : "CVE-2018-16874" ,
"STATE" : "PUBLIC"
} ,
"affects" : {
"vendor" : {
"vendor_data" : [
{
"product" : {
"product_data" : [
{
"product_name" : "golang" ,
"version" : {
"version_data" : [
{
"version_value" : "1.10.6"
} ,
{
"version_value" : "1.11.3"
}
]
}
}
]
} ,
"vendor_name" : "[UNKNOWN]"
}
]
}
} ,
"data_format" : "MITRE" ,
"data_type" : "CVE" ,
"data_version" : "4.0" ,
"description" : {
"description_data" : [
2018-12-14 14:24:34 +10:00
{
2019-03-18 03:41:10 +00:00
"lang" : "eng" ,
"value" : "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution."
2018-12-14 14:24:34 +10:00
}
2019-03-18 03:41:10 +00:00
]
} ,
"impact" : {
"cvss" : [
[
{
"vectorString" : "6.8/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" ,
"version" : "3.0"
}
]
]
} ,
"problemtype" : {
"problemtype_data" : [
2018-12-14 14:24:34 +10:00
{
2019-03-18 03:41:10 +00:00
"description" : [
{
"lang" : "eng" ,
"value" : "CWE-20"
}
]
2018-12-14 14:24:34 +10:00
}
2019-03-18 03:41:10 +00:00
]
} ,
"references" : {
"reference_data" : [
{
"name" : "GLSA-201812-09" ,
"refsource" : "GENTOO" ,
"url" : "https://security.gentoo.org/glsa/201812-09"
} ,
{
"name" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16874" ,
"refsource" : "CONFIRM" ,
"url" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16874"
} ,
{
"name" : "106228" ,
"refsource" : "BID" ,
"url" : "http://www.securityfocus.com/bid/106228"
} ,
{
"name" : "https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0" ,
"refsource" : "MISC" ,
"url" : "https://groups.google.com/forum/?pli=1#!topic/golang-announce/Kw31K8G7Fi0"
2019-03-30 01:00:44 +00:00
} ,
{
"refsource" : "SUSE" ,
"name" : "openSUSE-SU-2019:1079" ,
"url" : "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html"
2019-05-27 12:00:55 +00:00
} ,
{
"refsource" : "SUSE" ,
"name" : "openSUSE-SU-2019:1444" ,
"url" : "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html"
2019-06-03 15:00:51 +00:00
} ,
{
"refsource" : "SUSE" ,
"name" : "openSUSE-SU-2019:1499" ,
"url" : "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html"
2019-06-03 18:00:51 +00:00
} ,
{
"refsource" : "SUSE" ,
"name" : "openSUSE-SU-2019:1506" ,
"url" : "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html"
2019-07-14 12:00:53 +00:00
} ,
{
"refsource" : "SUSE" ,
"name" : "openSUSE-SU-2019:1703" ,
"url" : "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html"
2020-04-26 21:01:14 +00:00
} ,
{
"refsource" : "SUSE" ,
"name" : "openSUSE-SU-2020:0554" ,
"url" : "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html"
2021-03-13 21:00:41 +00:00
} ,
{
"refsource" : "MLIST" ,
"name" : "[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update" ,
"url" : "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html"
} ,
{
"refsource" : "MLIST" ,
"name" : "[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update" ,
"url" : "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html"
2019-03-18 03:41:10 +00:00
}
]
}
}
