Vulnerability Name:

CVE-2017-15041 (CCN-133097)

Assigned:2017-10-04
Published:2017-10-04
Updated:2021-03-19
Summary:Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."
CVSS v3 Severity:9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2017-15041

Source: BID
Type: Third Party Advisory, VDB Entry
101196

Source: CCN
Type: BID-101196
Golang Go CVE-2017-15041 Remote Code Execution Vulnerability

Source: REDHAT
Type: Third Party Advisory
RHSA-2017:3463

Source: REDHAT
Type: Third Party Advisory
RHSA-2018:0878

Source: XF
Type: UNKNOWN
go-cve201715041-cmd-exec(133097)

Source: CCN
Type: Go GIT Repository
cmd/go: arbitrary code execution during “go get” or “go get -d” [Go 1.8] #22125

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://github.com/golang/go/issues/22125

Source: CONFIRM
Type: Issue Tracking, Patch, Vendor Advisory
https://golang.org/cl/68022

Source: CONFIRM
Type: Issue Tracking, Patch, Vendor Advisory
https://golang.org/cl/68190

Source: CONFIRM
Type: Mailing List, Vendor Advisory
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update

Source: GENTOO
Type: Third Party Advisory
GLSA-201710-23

Vulnerable Configuration:Configuration 1:
  • cpe:/a:golang:go:*:*:*:*:*:*:*:* (Version <= 1.8.3)
  • OR cpe:/a:golang:go:1.9:-:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:redhat:developer_tools:1.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_tus:7.6:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_tus:7.7:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:golang:go:1.9:*:*:*:*:*:*:*
  • OR cpe:/a:golang:go:1.8.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8012
    P
    		go-1.19-150000.3.26.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:112331
    P
    		go1.12-1.12.17-4.8 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:112327
    P
    		go-1.17-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:112343
    P
    		go1.4-1.4.3-12.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:112329
    P
    		go1.10-1.10.8-8.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:112344
    P
    		go1.9-1.9.7-11.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:112330
    P
    		go1.11-1.11.13-10.5 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:105859
    P
    		Security update for java-11-openjdk (Important)
    2021-11-16
    oval:org.opensuse.security:def:105858
    P
    		Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:105851
    P
    		Security update for libvirt (Important)
    2021-10-27
    oval:org.opensuse.security:def:105850
    P
    		Security update for busybox (Important)
    2021-10-27
    oval:org.opensuse.security:def:105852
    P
    		go1.12-1.12.17-4.8 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:105848
    P
    		go-1.17-1.1 on GA media (Moderate)
    2021-10-01
    oval:com.redhat.rhsa:def:20180878
    P
    		RHSA-2018:0878: golang security, bug fix, and enhancement update (Moderate)
    2018-04-10
    oval:com.ubuntu.bionic:def:2017150410000000
    V
    		CVE-2017-15041 on Ubuntu 18.04 LTS (bionic) - low.
    2017-10-05
    oval:com.ubuntu.trusty:def:201715041000
    V
    		CVE-2017-15041 on Ubuntu 14.04 LTS (trusty) - low.
    2017-10-05
    oval:com.ubuntu.xenial:def:2017150410000000
    V
    		CVE-2017-15041 on Ubuntu 16.04 LTS (xenial) - low.
    2017-10-05
    oval:com.ubuntu.artful:def:201715041000
    V
    		CVE-2017-15041 on Ubuntu 17.10 (artful) - low.
    2017-10-05
    oval:com.ubuntu.xenial:def:201715041000
    V
    		CVE-2017-15041 on Ubuntu 16.04 LTS (xenial) - low.
    2017-10-05
    oval:com.ubuntu.bionic:def:201715041000
    V
    		CVE-2017-15041 on Ubuntu 18.04 LTS (bionic) - low.
    2017-10-05
    oval:com.ubuntu.cosmic:def:2017150410000000
    V
    		CVE-2017-15041 on Ubuntu 18.10 (cosmic) - low.
    2017-10-05
    oval:com.ubuntu.cosmic:def:201715041000
    V
    		CVE-2017-15041 on Ubuntu 18.10 (cosmic) - low.
    2017-10-05
    BACK
    golang go *
    golang go 1.9 -
    debian debian linux 9.0
    redhat developer tools 1.0
    redhat enterprise linux eus 7.6
    redhat enterprise linux eus 7.7
    redhat enterprise linux server 7.0
    redhat enterprise linux server aus 7.6
    redhat enterprise linux server aus 7.7
    redhat enterprise linux tus 7.6
    redhat enterprise linux tus 7.7
    golang go 1.9
    golang go 1.8.3