CVE-2017-15041

CRITICAL

Go <1.8.4, 1.9.x <1.9.1 - Remote Code Execution

Title source: manual
STIX 2.1

Description

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."

References (10)

Core 10
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3463
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0878
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://golang.org/cl/68190
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/101196
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://golang.org/cl/68022
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201710-23
Mailing List, Vendor Advisory x_refsource_confirm
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/golang/go/issues/22125
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html

Scores

CVSS v3 9.8
EPSS 0.0382
EPSS Percentile 88.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (11)
debian/debian_linux 9.0
golang/go 1.9
golang/go < 1.8.3
redhat/developer_tools 1.0
redhat/enterprise_linux_eus 7.6
redhat/enterprise_linux_eus 7.7
redhat/enterprise_linux_server 7.0
redhat/enterprise_linux_server_aus 7.6
redhat/enterprise_linux_server_aus 7.7
redhat/enterprise_linux_tus 7.6
... and 1 more
Published Oct 05, 2017
Tracked Since Feb 18, 2026