зеркало из https://github.com/golang/vulndb.git
32 строки
1.2 KiB
YAML
32 строки
1.2 KiB
YAML
modules:
|
|
- module: cmd
|
|
versions:
|
|
- fixed: 1.8.4
|
|
- introduced: 1.9.0
|
|
fixed: 1.9.1
|
|
vulnerable_at: 1.9.0
|
|
packages:
|
|
- package: cmd/go
|
|
skip_fix: 'TODO: revisit this reason (cant request explicit version of standard
|
|
library package cmd/go)'
|
|
description: |
|
|
The "go get" command allows remote command execution.
|
|
|
|
Using custom domains, it is possible to arrange things so that
|
|
example.com/pkg1 points to a Subversion repository but
|
|
example.com/pkg1/pkg2 points to a Git repository. If the Subversion
|
|
repository includes a Git checkout in its pkg2 directory and
|
|
some other work is done to ensure the proper ordering of operations, "go
|
|
get" can be tricked into reusing this Git checkout for the fetch of code
|
|
from pkg2. If the Subversion repository's Git checkout has malicious
|
|
commands in .git/hooks/, they will execute on the system running "go get".
|
|
published: 2022-08-09T17:31:35Z
|
|
cves:
|
|
- CVE-2017-15041
|
|
credit: Simon Rawet
|
|
references:
|
|
- fix: https://go.dev/cl/68110
|
|
- fix: https://go.googlesource.com/go/+/ec71ee078fd3243b78c0d404c8634bd97e38d7eb
|
|
- report: https://go.dev/issue/22125
|
|
- web: https://groups.google.com/g/golang-dev/c/RinSE3EiJBI/m/kYL7zb07AgAJ
|