x/vulndb: potential Go vuln in std: CVE-2018-12976 #2211

tatianab · 2023-11-08T22:02:00Z

CVE-2018-12976 references std, which may be a Go module.

Description:
In Go Doc Dot Org (gddo) through 2018-06-27, an attacker could use specially crafted tags in packages being fetched by gddo to cause a directory traversal and remote code execution.

References:

NIST: https://nvd.nist.gov/vuln/detail/CVE-2018-12976
web: https://groups.google.com/g/golang-announce/c/4rpTbfzYB1k/m/no6MEwlQAwAJ
fix: golang/gddo@daffe1f
Imported by: https://pkg.go.dev/std?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: std
      packages:
        - package: std
references:
    - web: https://groups.google.com/g/golang-announce/c/4rpTbfzYB1k/m/no6MEwlQAwAJ
    - fix: https://github.com/golang/gddo/commit/daffe1f90ec57f8ed69464f9094753fc6452e983
cve_metadata:
    id: CVE-2018-12976
    cwe: TODO

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-11-08T22:29:07Z

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports

tatianab added the excluded: LEGACY_FALSE_POSITIVE (DO NOT USE) Vulnerability marked as false positive before we introduced the triage process label Nov 8, 2023

gopherbot closed this as completed in 497caf9 Nov 8, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in std: CVE-2018-12976 #2211

x/vulndb: potential Go vuln in std: CVE-2018-12976 #2211

tatianab commented Nov 8, 2023

gopherbot commented Nov 8, 2023

x/vulndb: potential Go vuln in std: CVE-2018-12976 #2211

x/vulndb: potential Go vuln in std: CVE-2018-12976 #2211

Comments

tatianab commented Nov 8, 2023

gopherbot commented Nov 8, 2023