CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
90.2%
Severity: High
Date : 2018-02-09
CVE-ID : CVE-2018-6574
Package : go
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-606
The package go before version 1.9.4-1 is vulnerable to arbitrary code
execution.
Upgrade to 1.9.4-1.
The problem has been fixed upstream in version 1.9.4.
None.
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before
Go 1.10rc2 allow “go get” remote command execution during source code
build, by leveraging the gcc or clang plugin feature, because -fplugin=
and -plugin= arguments were not blocked.
A remote attacker is able to trick the “go get” command into executing
arbitrary code by passing a maliciously-crafted flag to the gcc or
clang backends.
https://github.com/golang/go/issues/23672
https://go.googlesource.com/go/+/867fb18b6d5bc73266b68c9a695558a04e060a8a
https://groups.google.com/forum/m/#!msg/golang-nuts/Gbhh1NxAjMU/dfW69X50AgAJ
https://security.archlinux.org/CVE-2018-6574
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
90.2%