CVE-2018-16873

Name of the Vulnerable Software and Affected Versions: Go versions prior to 1.10.6 Go versions 1.11.x prior to 1.11.3

Description: The issue is related to the "go get" command and is caused by insufficient input validation, specifically when using the -u flag with a malicious import path. This can lead to remote code execution. The vulnerability is only present in GOPATH mode, not in module mode. An attacker can exploit this by creating a custom domain and arranging for a Git repository to be cloned to a folder named ".git" using a vanity import path. If the Git repository root contains specific files and directories, "go get -u" can be tricked into running Git commands on the parent directory, potentially executing malicious commands.

Recommendations: For Go versions prior to 1.10.6, update to version 1.10.6 or later. For Go versions 1.11.x prior to 1.11.3, update to version 1.11.3 or later. As a temporary workaround, consider avoiding the use of the -u flag with the "go get" command until a patch is applied. Restrict access to the "go get" command to minimize the risk of exploitation.