CVE-2018-6574
HIGH severity · CVSS 7.8 · Code injection
7.8CVSS HIGH
Summary
Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
Impact & exploitability
Attack vectorLocal
Attack complexityLow
Privileges requiredLow
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)37%
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Additional information
- NVD record
- https://access.redhat.com/errata/RHSA-2018:0878Advisory
- https://access.redhat.com/errata/RHSA-2018:1304Advisory
- https://github.com/golang/go/issues/23672Advisory
- https://groups.google.com/forum/#%21topic/golang-nuts/Gbhh1NxAjMU
- https://groups.google.com/forum/#%21topic/golang-nuts/sprOaQ5m3Dk
- https://www.debian.org/security/2019/dsa-4380Advisory
- https://access.redhat.com/errata/RHSA-2018:0878Advisory
- https://github.com/KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574Advisory