Vulnerabilities > Golang > GO > 1.9.4

DATE CVE VULNERABILITY TITLE RISK
2018-12-14 CVE-2018-16875 Improper Certificate Validation vulnerability in multiple products
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service.
network
low complexity
golang opensuse CWE-295
7.5
7.5
2018-12-14 CVE-2018-16874 In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters).
network
high complexity
golang opensuse suse debian
8.1
8.1
2018-12-14 CVE-2018-16873 In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly.
network
high complexity
golang opensuse suse debian
8.1
8.1
2018-02-16 CVE-2018-7187 OS Command Injection vulnerability in multiple products
The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
network
low complexity
golang debian CWE-78
8.8
8.8