CVE-2017-15041 — CRITICAL (9.8)

Q: How severe is CVE-2017-15041?

CVE-2017-15041 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2017-15041?

Check the references section above for vendor advisories and patch information. Affected products include: Golang Go, Debian Debian Linux, Redhat Developer Tools, Redhat Enterprise Linux Eus, Redhat Enterprise Linux Server.

Vulnerability Description

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Golang	Go	<= 1.8.3
Debian	Debian Linux	9.0
Redhat	Developer Tools	1.0
Redhat	Enterprise Linux Eus	7.6
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Server Aus	7.6
Redhat	Enterprise Linux Tus	7.6

References

http://www.securityfocus.com/bid/101196Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2017:3463Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0878Third Party Advisory
https://github.com/golang/go/issues/22125Issue TrackingPatchThird Party Advisory
https://golang.org/cl/68022Issue TrackingPatchVendor Advisory
https://golang.org/cl/68190Issue TrackingPatchVendor Advisory
https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJMailing ListVendor Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00014.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00015.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/201710-23Third Party Advisory
http://www.securityfocus.com/bid/101196Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2017:3463Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0878Third Party Advisory
https://github.com/golang/go/issues/22125Issue TrackingPatchThird Party Advisory
https://golang.org/cl/68022Issue TrackingPatchVendor Advisory

FAQ

What is CVE-2017-15041?

CVE-2017-15041 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but e...

How severe is CVE-2017-15041?

CVE-2017-15041 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-15041?

Check the references section above for vendor advisories and patch information. Affected products include: Golang Go, Debian Debian Linux, Redhat Developer Tools, Redhat Enterprise Linux Eus, Redhat Enterprise Linux Server.