CVE-2018-7187
golang-1.7 - security update
EPSS 7.6%
Description
The "go get" command is vulnerable to remote code execution. When the -insecure command-line option is used, "go get" does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
How to fix CVE-2018-7187
To remediate CVE-2018-7187, upgrade the affected package to a fixed version below.
- Debian/golang—upgrade to 2:1.0.2-1.1+deb7u3 or later
- Debian/golang-1.7—upgrade to 1.7.4-2+deb9u1 or later
- —upgrade to 1.9.5 or later
Is CVE-2018-7187 being exploited?
Moderate — EPSS is 7.6%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (3)
- from 0, < 2:1.0.2-1.1+deb7u3
- from 0, < 1.7.4-2+deb9u1
- from 0, < 1.9.5, >= 1.10.0-0, < 1.10.1