CVE-2018-16874

HIGH

Go <1.10.6, 1.11.x <1.11.3 - Path Traversal

Title source: llm

Description

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.

References (12)

Core 12

Core References

Mitigation, Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201812-09

Issue Tracking, Third Party Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16874

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/106228

Mailing List x_refsource_misc

https://groups.google.com/forum/?pli=1#%21topic/golang-announce/Kw31K8G7Fi0

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00010.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.html

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html

Scores

CVSS v3 8.1

EPSS 0.0574

EPSS Percentile 90.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22 CWE-20

Status published

Products (7)

debian/debian_linux 9.0

golang/go < 1.10.6

opensuse/backports_sle 15.0

opensuse/leap 15.0

opensuse/leap 15.1

opensuse/leap 42.3

suse/linux_enterprise_server 12

Published Dec 14, 2018

Tracked Since Feb 18, 2026