Go Security Vulnerabilities and Issues — Go CVE List

Lucene search

GolangGo

3 matches found

CVE•added 2018/12/14 2:29 p.m.•198 views

CVE-2018-16873

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in...

8.1CVSS8.5AI score0.81278EPSS

CVE•added 2018/12/14 2:29 p.m.•182 views

CVE-2018-16874

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode ...

8.1CVSS8.2AI score0.03463EPSS

CVE•added 2018/12/14 2:29 p.m.•158 views

CVE-2018-16875

The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are...

7.8CVSS7.5AI score0.03484EPSS