CVE-2018-16874
Directory traversal via "go get" command in cmd/go
EPSS 5.7%
Description
The "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly brace (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
How to fix CVE-2018-16874
To remediate CVE-2018-16874, upgrade the affected package to a fixed version below.
- Go/toolchain—upgrade to 1.10.6 or later
Is CVE-2018-16874 being exploited?
Moderate — EPSS is 5.7%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 1.10.6, >= 1.11.0-0, < 1.11.3