Lucene search

K
gentooGentoo FoundationGLSA-201804-12
HistoryApr 15, 2018 - 12:00 a.m.

Go: Arbitrary code execution

2018-04-1500:00:00
Gentoo Foundation
security.gentoo.org
20

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.307

Percentile

97.0%

Background

Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.

Description

A vulnerability in Go was discovered which does not validate the import path of remote repositories.

Impact

Remote attackers, by enticing a user to import from a crafted website, could execute arbitrary commands.

Workaround

There is no known workaround at this time.

Resolution

All Go users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-lang/go-1.10.1"
OSVersionArchitecturePackageVersionFilename
Gentooanyalldev-lang/go< 1.10.1UNKNOWN

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.307

Percentile

97.0%