Allele Security Alert
ASA-2018-00075
Identifier(s)
ASA-2018-00075, CVE-2018-16874
Title
Directory traversal in “go get” via curly braces in import paths
Vendor(s)
The Go Authors
Product(s)
Go
Affected version(s)
Go before 1.11.3 and 1.10.6
Fixed version(s)
Go 1.11.3
Go 1.10.6
Proof of concept
Unknown
Description
The “go get” command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both ‘{‘ and ‘}’ characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode. The attacker can cause an arbitrary filesystem write, which can lead to code execution.
Technical details
Unknown
Credits
ztz (Tencent Security Platform)
Reference(s)
Go security releases 1.11.3 and 1.10.6
https://seclists.org/oss-sec/2018/q4/254
cmd/go: directory traversal in “go get” via curly braces in import paths #29231
https://github.com/golang/go/issues/29231
[release-branch.go1.11-security] cmd/go: reject ‘get’ of paths containing leading dots or unsupported characters
https://github.com/golang/go/commit/8954addb3294a5e664a9833354bafa58f163fe8f
[release-branch.go1.10-security] cmd/go: reject ‘get’ of paths containing leading dots or unsupported characters
https://github.com/golang/go/commit/90d609ba6156299642d08afc06d85ab770a03972
CVE-2018-16874
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16874
CVE-2018-16874
https://nvd.nist.gov/vuln/detail/CVE-2018-16874
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 11, 2019