CVE-2017-15041

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."

CVSS v3.0 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ	Mailing List Vendor Advisory
https://golang.org/cl/68190	Issue Tracking Patch Vendor Advisory
https://golang.org/cl/68022	Issue Tracking Patch Vendor Advisory
https://github.com/golang/go/issues/22125	Issue Tracking Patch Third Party Advisory
http://www.securityfocus.com/bid/101196	Third Party Advisory VDB Entry
https://security.gentoo.org/glsa/201710-23	Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3463	Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0878	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:golang:go::::::::
	cpe:2.3:a:golang:go:1.9:-::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR	cpe:2.3:a:redhat:developer_tools:1.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_tus:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_tus:7.7:::::::*

Information

Published : 2017-10-05 14:29

Updated : 2021-03-19 13:11

NVD link : CVE-2017-15041

Mitre link : CVE-2017-15041

JSON object : View

CWE

NVD-CWE-noinfo

Products Affected

redhat

developer_tools
enterprise_linux_server_aus
enterprise_linux_tus
enterprise_linux_server
enterprise_linux_eus

golang

debian

debian_linux

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ", "name": "https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ", "tags": ["Mailing List", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://golang.org/cl/68190", "name": "https://golang.org/cl/68190", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://golang.org/cl/68022", "name": "https://golang.org/cl/68022", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "https://github.com/golang/go/issues/22125", "name": "https://github.com/golang/go/issues/22125", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/101196", "name": "101196", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "BID"}, {"url": "https://security.gentoo.org/glsa/201710-23", "name": "GLSA-201710-23", "tags": ["Third Party Advisory"], "refsource": "GENTOO"}, {"url": "https://access.redhat.com/errata/RHSA-2017:3463", "name": "RHSA-2017:3463", "tags": ["Third Party Advisory"], "refsource": "REDHAT"}, {"url": "https://access.redhat.com/errata/RHSA-2018:0878", "name": "RHSA-2018:0878", "tags": ["Third Party Advisory"], "refsource": "REDHAT"}, {"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html", "name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2592-1] golang-1.8 security update", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}, {"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html", "name": "[debian-lts-announce] 20210313 [SECURITY] [DLA 2591-1] golang-1.7 security update", "tags": ["Mailing List", "Third Party Advisory"], "refsource": "MLIST"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Go before 1.8.4 and 1.9.x before 1.9.1 allows \"go get\" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, \"go get\" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running \"go get.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2017-15041", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}}, "publishedDate": "2017-10-05T21:29Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "1.8.3"}, {"cpe23Uri": "cpe:2.3:a:golang:go:1.9:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:redhat:developer_tools:1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_tus:7.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_tus:7.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2021-03-19T20:11Z"}

9.8 /10