製品・ソフトウェアに関する情報

JVN脆弱性詳細

Go におけるアクセス制御に関する脆弱性

Title	Go におけるアクセス制御に関する脆弱性
Summary	Go には、アクセス制御に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 5, 2017, midnight
Registration Date	Nov. 7, 2017, 5:33 p.m.
Last Update	Nov. 7, 2017, 5:33 p.m.

CVSS3.0 : 緊急
Score	9.8
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS2.0 : 危険
Score	7.5
Vector	AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected System

The Go Project

Go 1.8.4 未満

Go 1.9.1 未満の 1.9.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-15041	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15041
National Vulnerability Database (NVD)
2	CVE-2017-15041	https://nvd.nist.gov/vuln/detail/CVE-2017-15041

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-284	https://cwe.mitre.org/data/definitions/284.html

ベンダー情報

No	Name	URL
Gerrit Code Review
1	[release-branch.go1.8] cmd/go: reject update of VCS inside VCS	https://go-review.googlesource.com/c/go/+/68190
2	[release-branch.go1.9] cmd/go: reject update of VCS inside VCS	https://go-review.googlesource.com/c/go/+/68022
GitHub
3	cmd/go: arbitrary code execution during “go get” or “go get -d” [Go 1.8] #22125	https://github.com/golang/go/issues/22125
Google Groups
4	[security] Go 1.8.4 and Go 1.9.1 are released	https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ

Change Log

No	Changed Details	Date of change
0	[2017年11月07日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-15041

Summary	Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get."
Publication Date	Oct. 6, 2017, 6:29 a.m.
Registration Date	Jan. 26, 2021, 1:16 p.m.
Last Update	Nov. 21, 2024, 12:13 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:golang:go::::::::		1.8.3
cpe:2.3:a:golang:go:1.9:-::::::

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_tus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.7:::::::*
cpe:2.3:a:redhat:developer_tools:1.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_tus:7.7:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/101196	Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/101196	Third Party Advisory VDB Entry
3	https://access.redhat.com/errata/RHSA-2017:3463	Third Party Advisory
4	https://access.redhat.com/errata/RHSA-2017:3463	Third Party Advisory
5	https://access.redhat.com/errata/RHSA-2018:0878	Third Party Advisory
6	https://access.redhat.com/errata/RHSA-2018:0878	Third Party Advisory
7	https://github.com/golang/go/issues/22125	Issue Tracking Patch Third Party Advisory
8	https://github.com/golang/go/issues/22125	Issue Tracking Patch Third Party Advisory
9	https://golang.org/cl/68022	Issue Tracking Patch Vendor Advisory
10	https://golang.org/cl/68022	Issue Tracking Patch Vendor Advisory
11	https://golang.org/cl/68190	Issue Tracking Patch Vendor Advisory
12	https://golang.org/cl/68190	Issue Tracking Patch Vendor Advisory
13	https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ	Mailing List Vendor Advisory
14	https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ	Mailing List Vendor Advisory
15	https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html	Mailing List Third Party Advisory
16	https://lists.debian.org/debian-lts-announce/2021/03/msg00014.html	Mailing List Third Party Advisory
17	https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html	Mailing List Third Party Advisory
18	https://lists.debian.org/debian-lts-announce/2021/03/msg00015.html	Mailing List Third Party Advisory
19	https://security.gentoo.org/glsa/201710-23	Third Party Advisory
20	https://security.gentoo.org/glsa/201710-23	Third Party Advisory

Common Vulnerabilities List

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_tus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.7:::::::*
cpe:2.3:a:redhat:developer_tools:1.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_tus:7.7:::::::*