CVE-2017-15041
critical
CVSS v3
9.8
CVSS v2
7.5
VIR risk
9.8
Description
Remote command execution via "go get" in cmd/go
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
Vendor advisory: cve@mitre.org — https://golang.org/cl/68190
Vendor advisory: cve@mitre.org — https://golang.org/cl/68022
Vendor advisory: cve@mitre.org — https://github.com/golang/go/issues/22125
Vendor advisory: arch — https://security.archlinux.org/ASA-201710-15
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 2:1.9.1-1 | |
| debian | 9.0 | affected | |
| rhel | 7.6 | affected | |
| rhel | 7.7 | affected | |
| rhel | 7.0 | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | toolchain | >=1.9.0-0,<1.9.1 | 1.8.4 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| golang | go | {"endIncluding":"1.8.3"} | |
| golang | go | 1.9 | |
| redhat | developer_tools | 1.0 | |
References
- https://security.archlinux.org/ASA-201710-15
- http://www.securityfocus.com/bid/101196
- https://access.redhat.com/errata/RHSA-2017:3463
- https://access.redhat.com/errata/RHSA-2018:0878
- https://github.com/golang/go/issues/22125
- https://golang.org/cl/68022
- https://golang.org/cl/68190
- https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ
- https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html
- https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html
- https://security.gentoo.org/glsa/201710-23
- https://go.dev/cl/68110
- https://go.googlesource.com/go/+/ec71ee078fd3243b78c0d404c8634bd97e38d7eb
- https://go.dev/issue/22125
- https://groups.google.com/g/golang-dev/c/RinSE3EiJBI/m/kYL7zb07AgAJ
Verify integrity in audit chain (admin only). AS-IS.