Vulnerability Report: GO-2022-0177

CVE-2017-15041
Affects: cmd/go
Published: Aug 09, 2022
Modified: Jun 12, 2023

The "go get" command allows remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get".

Affected Packages

Path

Versions

Symbols
cmd/go

before go1.8.4, from go1.9.0-0 before go1.9.1

all symbols

Aliases

CVE-2017-15041

References

https://go.dev/cl/68110
https://go.googlesource.com/go/+/ec71ee078fd3243b78c0d404c8634bd97e38d7eb
https://go.dev/issue/22125
https://groups.google.com/g/golang-dev/c/RinSE3EiJBI/m/kYL7zb07AgAJ
https://vuln.go.dev/ID/GO-2022-0177.json

Credits

Simon Rawet

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL