HTTP: Google Golang Get Command Injection

This signature detects attempts to exploit a known vulnerability in the golang client. Successful exploitation results in arbitrary command injection under the security context of the target user.

Extended Description

The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.

Affected Products

Golang go

References

CVE: CVE-2018-7187

Short Name
HTTP:STC:DL:GOOGLE-GO-CI
Severity
Major
Recommended
True
Recommended Action
Drop
Category
HTTP
Keywords
CVE-2018-7187 Command Get Golang Google Injection
Release Date
03/06/2018
Supported Platforms

srx-branch-19.3

vsrx3bsd-19.2

srx-19.4

vsrx3bsd-19.4

srx-branch-19.4

vsrx-19.4

vsrx-19.2

srx-19.3

srx-branch-12.3

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx-12.3

vmx-19.3

srx-12.3

Sigpack Version
3808
False Positive
Unknown
Vendors

Golang

Debian

CVSS Score

9.3

Found a potential security threat?