{"schema_version":"1.3.1","id":"GO-2022-0190","modified":"2024-05-20T16:03:47Z","published":"2022-08-02T15:44:23Z","aliases":["CVE-2018-16874"],"summary":"Directory traversal via \"go get\" command in cmd/go","details":"The \"go get\" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly brace (both '{' and '}' characters).\n\nSpecifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.","affected":[{"package":{"name":"toolchain","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.10.6"},{"introduced":"1.11.0-0"},{"fixed":"1.11.3"}]}],"ecosystem_specific":{"imports":[{"path":"cmd/go/internal/get","symbols":["downloadPackage"]}]}}],"references":[{"type":"FIX","url":"https://go.dev/cl/154101"},{"type":"FIX","url":"https://go.googlesource.com/go/+/bc82d7c7db83487e05d7a88e06549d4ae2a688c3"},{"type":"REPORT","url":"https://go.dev/issue/29230"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/Kw31K8G7Fi0"}],"credits":[{"name":"ztz of Tencent Security Platform"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0190","review_status":"REVIEWED"}}