CVE-2018-16874 log

Severity High
Remote Yes
Type Directory traversal
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at The attacker can cause an arbitrary filesystem write, which can lead to code execution.
Group Package Affected Fixed Severity Status Ticket
AVG-835 go, go-pie 2:1.11.2-2 2:1.11.3-1 High Fixed
Date Advisory Group Package Severity Type
18 Dec 2018 ASA-201812-12 AVG-835 go-pie High multiple issues
18 Dec 2018 ASA-201812-11 AVG-835 go High multiple issues