CVE-2018-16874

Name of the Vulnerable Software and Affected Versions: Go versions prior to 1.10.6 Go versions 1.11.x prior to 1.11.3

Description: The issue is related to the "go get" command in the Go programming language, which is vulnerable to directory traversal when executed with the import path of a malicious Go package containing curly braces ({ and } characters). This vulnerability can be exploited by a remote attacker to cause an arbitrary filesystem write, potentially leading to code execution. The vulnerability specifically affects GOPATH mode but not module mode.

Recommendations: For Go versions prior to 1.10.6, update to version 1.10.6 or later. For Go versions 1.11.x prior to 1.11.3, update to version 1.11.3 or later. As a temporary workaround, consider avoiding the use of the "go get" command with untrusted import paths until the issue is resolved. Restrict access to the GOPATH mode to minimize the risk of exploitation.