Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-02-07T21:00:00

Updated: 2024-08-05T06:10:10.226Z

Reserved: 2018-02-02T00:00:00

Link: CVE-2018-6574

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-02-07T21:29:00.250

Modified: 2024-11-21T04:10:55.257

Link: CVE-2018-6574

cve-icon Redhat

Severity : Moderate

Publid Date: 2018-02-07T00:00:00Z

Links: CVE-2018-6574 - Bugzilla