Vulnerability Name: | CVE-2018-6574 | ||||||||||||||||||||||||
Assigned: | 2018-02-02 | ||||||||||||||||||||||||
Published: | 2018-02-07 | ||||||||||||||||||||||||
Updated: | 2018-04-11 | ||||||||||||||||||||||||
Summary: | Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked. | ||||||||||||||||||||||||
CVSS v3 Severity: | 9.8 Critical (CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 8.6 High (Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R)
8.6 High (CCN Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R)
5.1 Medium (REDHAT Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L/E:U/RL:U/RC:R)
| ||||||||||||||||||||||||
CVSS v2 Severity: | 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
| ||||||||||||||||||||||||
Vulnerability Type: | CWE-284 CWE-20 | ||||||||||||||||||||||||
References: | Source: REDHAT Type: UNKNOWN RHSA-2018:0878 Source: XF Type: UNKNOWN go-cve20186574-cmd-exec(138852) Source: CONFIRM Type: VENDOR_ADVISORY https://github.com/golang/go/issues/23672 Source: MISC Type: UNKNOWN https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574 Source: CONFIRM Type: VENDOR_ADVISORY https://groups.google.com/forum/#!topic/golang-nuts/Gbhh1NxAjMU Source: CONFIRM Type: VENDOR_ADVISORY https://groups.google.com/forum/#!topic/golang-nuts/sprOaQ5m3Dk | ||||||||||||||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration RedHat 1: ![]() | ||||||||||||||||||||||||
Oval Definitions | |||||||||||||||||||||||||
| |||||||||||||||||||||||||
BACK |