7.8

CVE-2018-6574

Exploit
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
GolangGo Version <= 1.8.6
GolangGo Version1.9
GolangGo Version1.9.1
GolangGo Version1.9.2
GolangGo Version1.9.3
GolangGo Version1.10 Updatebeta1
GolangGo Version1.10 Updatebeta2
GolangGo Version1.10 Updaterc1
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 7.77% 0.939
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 4.6 3.9 6.4
AV:L/AC:L/Au:N/C:P/I:P/A:P
CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://access.redhat.com/errata/RHSA-2018:0878
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:1304
Third Party Advisory
https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574
Third Party Advisory
Exploit
https://github.com/golang/go/issues/23672
Third Party Advisory
Issue Tracking
https://groups.google.com/forum/#%21topic/golang-nuts/Gbhh1NxAjMU
https://groups.google.com/forum/#%21topic/golang-nuts/sprOaQ5m3Dk
https://www.debian.org/security/2019/dsa-4380
Third Party Advisory