CVE-2018-12976
CRITICALGo Doc Dot Org < 2018-06-27 - Remote Code Execution via Crafted Go-Import Tags
Title source: llmDescription
In Go Doc Dot Org (gddo) through 2018-06-27, an attacker could use specially crafted <go-import> tags in packages being fetched by gddo to cause a directory traversal and remote code execution.
References (2)
Core 2
Core References
Mailing List mailing-list
x_refsource_mlist
https://groups.google.com/forum/#%21msg/golang-announce/4rpTbfzYB1k/no6MEwlQAwAJ
Patch, Third Party Advisory x_refsource_confirm
https://github.com/golang/gddo/commit/daffe1f90ec57f8ed69464f9094753fc6452e983
Scores
CVSS v3
9.8
EPSS
0.0447
EPSS Percentile
90.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (1)
godoc/go_doc_dot_org
< 2018-06-27
Published
Jul 05, 2018
Tracked Since
Feb 18, 2026