CVE-2017-15041

Name of the Vulnerable Software and Affected Versions Go versions 1.8.0 through 1.8.3 Go versions 1.9.0 through 1.9.0

Description The issue allows remote command execution through the "go get" command. By using custom domains, an attacker can trick "go get" into reusing a Git checkout from a Subversion repository, potentially executing malicious commands in .git/hooks/ on the system running "go get". This can be achieved by arranging custom domains so that example.com/pkg1 points to a Subversion repository and example.com/pkg1/pkg2 points to a Git repository, and including a Git checkout in the Subversion repository's pkg2 directory.

Recommendations For Go versions 1.8.0 through 1.8.3, update to version 1.8.4 or later. For Go versions 1.9.0 through 1.9.0, update to version 1.9.1 or later. As a temporary workaround, consider restricting the use of the "go get" command until a patch is available. Avoid using custom domains that point to both Subversion and Git repositories to minimize the risk of exploitation.