GHSA-x5c7-x7m2-rhmf – go.mozilla.org/sops/v3

Package

Manager: go
Name: go.mozilla.org/sops/v3
Vulnerable Version: >=0 <3.7.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Local directory executable lookup in sops (Windows-only) ### Impact Windows users using the sops direct editor option (`sops file.yaml`) can have a local executable named either `vi`, `vim`, or `nano` executed if running sops from `cmd.exe` This attack is only viable if an attacker is able to place a malicious binary within the directory you are running sops from. As well, this attack will only work when using `cmd.exe` or the Windows C library [SearchPath function](https://docs.microsoft.com/en-us/windows/win32/api/processenv/nf-processenv-searchpatha). This is a result of these Windows tools including `.` within their `PATH` by default. **If you are using sops within untrusted directories on Windows via `cmd.exe`, please upgrade immediately** **As well, if you have `.` within your default $PATH, please upgrade immediately.** More information can be found on the official Go blog: https://blog.golang.org/path-security ### Patches The problem has been resolved in v3.7.1 Now, if Windows users using cmd.exe run into this issue, a warning message will be printed: `vim resolves to executable in current directory (.\vim.exe)` ### References * https://blog.golang.org/path-security ### For more information If you have any questions or comments about this advisory: * Open a discussion in [sops](https://github.com/mozilla/sops/discussions)

Metadata

Created: 2021-05-20T16:50:34Z
Modified: 2021-05-20T16:50:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-x5c7-x7m2-rhmf/GHSA-x5c7-x7m2-rhmf.json
CWE IDs: []
Alternative ID: N/A
Finding: F098
Auto approve: 1