AlmaLinux 9 : golang (ALSA-2024:1131)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2024:1131 advisory. - A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network th...

BIT-GOLANG-2021-3115

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo for example, cgo can execute a gcc program from an untrusted download...

CVE-2023-29402

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved...

SUSE CVE-2018-16873

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not ...

GO-2022-0201 Remote command execution via "go get" command with cgo in cmd/go

The "go get" command with cgo is vulnerable to remote command execution by leveraging the gcc or clang plugin feature. When cgo is enabled, the build step during "go get" invokes the host C compiler, gcc or clang, adding compiler flags specified in the Go source files. Both gcc and clang support ...

GO-2022-0177 Remote command execution via "go get" in cmd/go

The "go get" command allows remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory...

CVE-2021-3115

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo for example, cgo can execute a gcc program from an untrusted download...

Command injection

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo for example, cgo can execute a gcc program from an untrusted download...

CVE-2021-3115

Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo for example, cgo can execute a gcc program from an untrusted download...

NewStart CGSL CORE 5.04 / MAIN 5.04 : golang Multiple Vulnerabilities (NS-SA-2019-0047)

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has golang packages installed that are affected by multiple vulnerabilities: - An arbitrary command execution flaw was found in the way Go's go get command handled the checkout of source code repositories. A remote attacker...

openSUSE Security Update : containerd / docker / docker-runc / etc (openSUSE-2019-1079)

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues : Security issues fixed : - CVE-2018-16875: Fixed a CPU Denial of Service bsc1118899. - CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in...

Debian DSA-4380-1 : golang-1.8 - security update

A vulnerability was discovered in the implementation of the P-521 and P-384 elliptic curves, which could result in denial of service and in some cases key recovery. In addition this update fixes two vulnerabilities in 'go get', which could result in the execution of arbitrary shell commands. C...

Amazon Linux AMI : golang (ALAS-2018-1130)

In Go before 1.10.6 and 1.11.x before 1.11.3, the 'go get' command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not ...

CVE-2018-16873

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not ...

Google Golang Get Command Injection (CVE-2018-7187)

A command injection vulnerability exists in the golang client. This vulnerability is due to insufficient sanitization of user input by the go get command...

Arbitrary Code Execution

github.com/golang/go is vulnerable to arbitrary code execution attacks. The library does not properly validate the import path when the -insecure flag is used for the go get command. This allows a malicious user to execute arbitrary commands through the use of a malicious website...

Updated golang packages fix security vulnerabilities

An arbitrary command execution flaw was found in the way Go's "go get" command handled the checkout of source code repositories. A remote attacker capable of hosting malicious repositories could potentially use this flaw to cause arbitrary command execution on the client side CVE-2017-15041. It w...