Name | CVE-2018-7187 |
Description | The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more) |
References | DLA-1294-1, DSA-4379-1, DSA-4380-1 |
Debian Bugs | 895663, 895664, 895665 |
The information below is based on the following data on fixed versions.