CVE-2018-6574

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

Weakness: Improper Control of Generation of Code ('Code Injection')

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Published: 2018-02-07

Community Advisory

This section is open source, for any additional information that enhances or clarifies the official advisory above.

Improve Advisory

CVE-2018-6574 Exploits (53)

• neargle/CVE-2018-6574-POC ( 21)
• mekhalleh/cve-2018-6574 ( 1)
• Yashrk078/Test_CVE-2018-6574
• acole76/cve-2018-6574
• ahmetmanga/cve-2018-6574
• ahmetmanga/go-get-rce
• chaosura/CVE-2018-6574
• coblax/CVE-2018-6574
• d4rkshell/go-get-rce
• dollyptm/cve-2018-6574

Show all exploits (+43):

• duckzsc2/CVE-2018-6574-POC
• french560/ptl6574
• frozenkp/CVE-2018-6574
• illnino/CVE-2018-6574
• it3x55/CVE-2018-6574
• ivnnn1/CVE-2018-6574
• jongmartinez/CVE-2018-6574-POC
• kawkab101/cve-2018-6574
• kev-ho/cve-2018-6574-payload
• l4rm4nd/CVE-2018-6574
• lsnakazone/cve-2018-6574
• michiiii/go-get-exploit
• nthuong95/CVE-2018-6574
• redirected/cve-2018-6574
• sdosis/cve-2018-6574
• shivam18u/CVE-2018-6574
• willbo4r/go-get-rce
• yitingfan/CVE-2018-6574_demo
• zur250/Zur-Go-GET-RCE-Solution
• 20matan/CVE-2018-6574-POC
• Eugene24/CVE-2018-6574
• mhamed366/CVE-2018-6574
• azzzzzzzzzzzzzzzzz/CVE-2018-6574
• FilipeFraqueiro/CVE-2018-6574
• NikolaT3sla/cve-2018-6574
• shadofren/CVE-2018-6574
• vishack/CVE-2018-6574
• PLP-Orange/cve-2018-6574-exercise
• purgedemo/CVE-2018-6574
• purgedemo/CVE-2018-6574_2
• kenprice/cve-2018-6574
• veter069/go-get-rce
• qweraqq/CVE-2018-6574
• InfoSecJack/CVE-2018-6574
• drset/golang
• No1zy/CVE-2018-6574-PoC
• darthvader-htb/CVE-2018-6574
• Malone5923/CVE-2018-6574-go-get-RCE
• pswalia2u/CVE-2018-6574
• asavior2/CVE-2018-6574
• AdriVillaB/CVE-2018-6574
• Yealid/CVE-2018-6574
• TakuCoder/CVE-2018-6574

Research Labs

Official CVE References

View references (7)

• redhat.com/errata/RHSA-2018:0878
• redhat.com/errata/RHSA-2018:1304
• golang/go/issues/23672
• KINGSABRI/CVE-in-Ruby/tree/master/CVE-2018-6574
• google.com/forum/
• google.com/forum/
• debian.org/security/2019/dsa-4380