{"id":"GO-2022-0203","summary":"Remote command execution via \"go get\" command with \"-insecure\" option in cmd/go","details":"The \"go get\" command is vulnerable to remote code execution.\n\nWhen the -insecure command-line option is used, \"go get\" does not validate the import path (get/vcs.go only checks for \"://\" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.","aliases":["CVE-2018-7187"],"modified":"2024-05-20T16:03:47Z","published":"2022-08-09T23:19:00Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0203","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/94603"},{"type":"FIX","url":"https://go.googlesource.com/go/+/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc"},{"type":"REPORT","url":"https://go.dev/issue/23867"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/IkPkOF8JqLs/m/TFBbWHJYAwAJ"}],"affected":[{"package":{"name":"toolchain","ecosystem":"Go","purl":"pkg:golang/toolchain"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.9.5"},{"introduced":"1.10.0-0"},{"fixed":"1.10.1"}]}],"ecosystem_specific":{"imports":[{"path":"cmd/go"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0203.json"}}],"schema_version":"1.7.3","credits":[{"name":"Arthur Khashaev"}]}