[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2017-15041Date: (C)2017-10-06   (M)2023-12-22


Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 9.8CVSS Score : 7.5
Exploit Score: 3.9Exploit Score: 10.0
Impact Score: 5.9Impact Score: 6.4
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: LOWAccess Complexity: LOW
Privileges Required: NONEAuthentication: NONE
User Interaction: NONEConfidentiality: PARTIAL
Scope: UNCHANGEDIntegrity: PARTIAL
Confidentiality: HIGHAvailability: PARTIAL
Integrity: HIGH 
Availability: HIGH 
  
Reference:
BID-101196
GLSA-201710-23
RHSA-2017:3463
RHSA-2018:0878
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
https://github.com/golang/go/issues/22125
https://golang.org/cl/68022
https://golang.org/cl/68190
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ

CPE    3
cpe:/o:debian:debian_linux:9.0
cpe:/a:golang:go
cpe:/o:redhat:enterprise_linux_server:7.0
OVAL    8
oval:org.secpod.oval:def:1600802
oval:org.secpod.oval:def:1800887
oval:org.secpod.oval:def:204795
oval:org.secpod.oval:def:113326
...

© SecPod Technologies