CVE-2018-16874 log

Source
Severity High
Remote Yes
Type Directory traversal
Description
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
Group Package Affected Fixed Severity Status Ticket
AVG-835 go, go-pie 2:1.11.2-2 2:1.11.3-1 High Fixed
Date Advisory Group Package Severity Type
18 Dec 2018 ASA-201812-12 AVG-835 go-pie High multiple issues
18 Dec 2018 ASA-201812-11 AVG-835 go High multiple issues
References
https://github.com/golang/go/issues/29231
https://github.com/golang/go/commit/8954addb3294a5e664a9833354bafa58f163fe8f
https://github.com/golang/go/commit/90d609ba6156299642d08afc06d85ab770a03972