CVE Vulnerabilities

CVE-2017-15041

Published: Oct 05, 2017 | Modified: Mar 19, 2021
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
7.5 MODERATE
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Ubuntu
LOW

Go before 1.8.4 and 1.9.x before 1.9.1 allows go get remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, go get can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repositorys Git checkout has malicious commands in .git/hooks/, they will execute on the system running go get.

Affected Software

Name Vendor Start Version End Version
Go Golang * 1.8.3 (including)
Go Golang 1.9 (including) 1.9 (including)
Red Hat Developer Tools RedHat go-toolset-7-0:1.8-10.el7 *
Red Hat Developer Tools RedHat go-toolset-7-golang-0:1.8.5-1.el7 *
Red Hat Enterprise Linux 7 RedHat golang-0:1.9.4-1.el7 *
Golang Ubuntu trusty *
Golang Ubuntu vivid/ubuntu-core *
Golang-1.6 Ubuntu esm-infra/xenial *
Golang-1.6 Ubuntu trusty *
Golang-1.6 Ubuntu upstream *
Golang-1.6 Ubuntu xenial *
Golang-1.7 Ubuntu artful *
Golang-1.7 Ubuntu cosmic *
Golang-1.7 Ubuntu zesty *
Golang-1.8 Ubuntu artful *
Golang-1.8 Ubuntu bionic *
Golang-1.8 Ubuntu cosmic *
Golang-1.8 Ubuntu upstream *
Golang-1.8 Ubuntu zesty *
Golang-1.9 Ubuntu upstream *

References