Is CVE-2018-16874 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 5%.

What products does CVE-2018-16874 affect?

Tracked products affected include Go, SUSE Linux Enterprise Server. Check the version you run to see whether it is affected.

How do I fix CVE-2018-16874?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

← All products

CVE-2018-16874

Q: What is CVE-2018-16874?

CVE-2018-16874 is a high-severity software vulnerability (Improper input validation) with a CVSS score of 8.1. In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it

HIGH severity · CVSS 8.1 · Improper input validation

8.1CVSS HIGH

Summary

In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)5%

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (2)

Go SUSE Linux Enterprise Server

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

CVE-2018-16874

Summary

Impact & exploitability

Affected products we track (2)

Recommendation

Additional information