GHSA-x5c7-x7m2-rhmf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x5c7-x7m2-rhmf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-x5c7-x7m2-rhmf/GHSA-x5c7-x7m2-rhmf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x5c7-x7m2-rhmf
- Aliases
- Published
- 2021-05-20T16:50:34Z
- Modified
- 2024-08-21T15:42:05.145523Z
- Summary
- Local directory executable lookup in sops (Windows-only)
- Details
-
Impact
Windows users using the sops direct editor option (
sops file.yaml) can have a local executable named eithervi,vim, ornanoexecuted if running sops fromcmd.exeThis attack is only viable if an attacker is able to place a malicious binary within the directory you are running sops from. As well, this attack will only work when using
cmd.exeor the Windows C library SearchPath function. This is a result of these Windows tools including.within theirPATHby default.If you are using sops within untrusted directories on Windows via
cmd.exe, please upgrade immediatelyAs well, if you have
.within your default $PATH, please upgrade immediately.More information can be found on the official Go blog: https://blog.golang.org/path-security
Patches
The problem has been resolved in v3.7.1
Now, if Windows users using cmd.exe run into this issue, a warning message will be printed:
vim resolves to executable in current directory (.\vim.exe)References
- https://blog.golang.org/path-security
For more information
If you have any questions or comments about this advisory: * Open a discussion in sops
- Database specific
{ "severity": "LOW", "nvd_published_at": null, "github_reviewed_at": "2021-05-20T16:50:13Z", "github_reviewed": true, "cwe_ids": [] }- References
Affected packages
Go / go.mozilla.org/sops/v3
Package
- Name
- go.mozilla.org/sops/v3
- View open source insights on deps.dev
- Purl
- pkg:golang/go.mozilla.org/sops/v3