Unknown
CVE-2017-15041
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2017-15041
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Go before 1.8.4 and 1.9.x before 1.9.1 allows “go get” remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, “go get” can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository’s Git checkout has malicious commands in .git/hooks/, they will execute on the system running “go get.”
Add Assessment
No one has assessed this topic. Be the first to add your voice to the community.
CVSS V3 Severity and Metrics
General Information
Vendors
- debian,
- golang,
- redhat
Products
- debian linux 9.0,
- developer tools 1.0,
- enterprise linux eus 7.6,
- enterprise linux eus 7.7,
- enterprise linux server 7.0,
- enterprise linux server aus 7.6,
- enterprise linux server aus 7.7,
- enterprise linux tus 7.6,
- enterprise linux tus 7.7,
- go,
- go 1.9
References
Advisory
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: