logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-fwj4-72fm-c93g github.com/mutagen-io/mutagen

Package

Manager: go
Name: github.com/mutagen-io/mutagen
Vulnerable Version: >=0 <0.16.6 || >=0.17.0 <0.17.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Under-validated ComSpec and cmd.exe resolution in Mutagen projects ### Impact Mutagen projects offer shell-based execution functionality. On Windows, the shell is resolved using the standard `%ComSpec%` mechanism, with a fallback to a `%PATH%`-based search for `cmd.exe`. While this is the standard practice on Windows systems, it presents somewhat risky behavior. Firstly, `%ComSpec%` could, in theory, be set maliciously. Unfortunately, there's not much that can be done to prevent this attack surface, because `%ComSpec%` is the official mechanism for shell specification on Windows. We can, however, validate that it points to an absolute path, which one would expect for a properly set value. Secondly, a fallback to a relative `cmd.exe` path, resolved via `%PATH%`, could be risky. The risk is largely mitigated by changes in Go 1.19 and later, but prior to that a malicious `cmd.exe` could been resolved in the current working directory. To mitigate this issue, Mutagen now uses the `%SystemRoot%` environment variable (also validated to be an absolute path) to resolve `cmd.exe` in the event that `%ComSpec%` is not set correctly. ### Patches The problem has been patched in Mutagen v0.16.6 and v0.17.1. Earlier versions of Mutagen are no longer supported and will not be patched. Versions of Mutagen after v0.18.0 will also have the patch merged. ### Workarounds Maintain control of the environment variable settings on your system, in particular the `ComSpec` environment variable. ### References More information on `%ComSpec%` can be found [online](https://en.wikipedia.org/wiki/COMSPEC). More information on Go's `PATH`-based lookup changes can be found [here](https://go.dev/blog/path-security), [here](https://go.dev/doc/go1.19#os-exec-path), and [here](https://github.com/golang/go/issues/43947). A [similar issue](https://github.com/python/cpython/issues/101283) that was addressed within the Python subprocess module also provides additional discussion.

Metadata

Created: 2023-05-05T02:18:26Z
Modified: 2023-05-05T02:18:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-fwj4-72fm-c93g/GHSA-fwj4-72fm-c93g.json
CWE IDs: []
Alternative ID: N/A
Finding: F098
Auto approve: 1