CVE-2018-6574

Name
CVE-2018-6574
Description
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Issue Tracking https://github.com/golang/go/issues/23672
Exploit https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:0878
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1304
Mailing List https://groups.google.com/forum/#!topic/golang-nuts/sprOaQ5m3Dk
Mailing List https://groups.google.com/forum/#!topic/golang-nuts/Gbhh1NxAjMU
Third Party Advisory https://www.debian.org/security/2019/dsa-4380

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:golang:go:1.10:beta2:*:*:*:*:*:* go == None == 1.10
cpe:2.3:a:golang:go:1.9:*:*:*:*:*:*:* go == None == 1.9
cpe:2.3:a:golang:go:1.9.2:*:*:*:*:*:*:* go == None == 1.9.2
cpe:2.3:a:golang:go:1.9.3:*:*:*:*:*:*:* go == None == 1.9.3
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* go >= None <= 1.8.6
cpe:2.3:a:golang:go:1.9.1:*:*:*:*:*:*:* go == None == 1.9.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
go edge-community 1.9.4-r0 None fixed
go 3.22-community 1.9.4-r0 None fixed
go 3.21-community 1.9.4-r0 None fixed
go 3.20-community 1.9.4-r0 None fixed
go 3.19-community 1.9.4-r0 None fixed
go 3.18-community 1.9.4-r0 None fixed
go 3.17-community 1.9.4-r0 None fixed