Remote Code Execution (RCE)

2019-01-1509:20:33

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

github.com/golang/go is vulnerable to remote code execution (RCE). If custom domains are used, a malicious user can set a domain example.com/proj1 to point to a subversion repository and another domain example.com/proj1/proj2 to point to a git repository. When the go get command is run, arbitrary commands in the subversion’s .git/hooks/ is executed on the system that ran the command.

CPENameOperatorVersion
go-toolset-7eq1.8__4.el7
go-toolset-7eq1.8__6.el7
go-toolset-7eq1.8__9.el7
go-toolset-7-golangeq1.8.3__3.el7
go-toolset-7-golangeq1.8.3__4.el7
golangeq1.9.2__4.el7
golangeq1.6.3__2.el7
golangeq1.8.4__1.el7cp
golangeq1.9.2__2.1.el7rhgs
golangeq1.4.2__9.el7

Name	Operator	Version
go-toolset-7	eq	1.8__4.el7
go-toolset-7	eq	1.8__6.el7
go-toolset-7	eq	1.8__9.el7
go-toolset-7-golang	eq	1.8.3__3.el7
go-toolset-7-golang	eq	1.8.3__4.el7
golang	eq	1.9.2__4.el7
golang	eq	1.6.3__2.el7
golang	eq	1.8.4__1.el7cp
golang	eq	1.9.2__2.1.el7rhgs
golang	eq	1.4.2__9.el7