GHSA-X5C7-X7M2-RHMF
Vulnerability from github – Published: 2021-05-20 16:50 – Updated: 2021-05-20 16:50Impact
Windows users using the sops direct editor option (sops file.yaml) can have a local executable named either vi, vim, or nano executed if running sops from cmd.exe
This attack is only viable if an attacker is able to place a malicious binary within the directory you are running sops from. As well, this attack will only work when using cmd.exe or the Windows C library SearchPath function. This is a result of these Windows tools including . within their PATH by default.
If you are using sops within untrusted directories on Windows via cmd.exe, please upgrade immediately
As well, if you have . within your default $PATH, please upgrade immediately.
More information can be found on the official Go blog: https://blog.golang.org/path-security
Patches
The problem has been resolved in v3.7.1
Now, if Windows users using cmd.exe run into this issue, a warning message will be printed:
vim resolves to executable in current directory (.\vim.exe)
References
- https://blog.golang.org/path-security
For more information
If you have any questions or comments about this advisory: * Open a discussion in sops
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "go.mozilla.org/sops/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2021-05-20T16:50:13Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\nWindows users using the sops direct editor option (`sops file.yaml`) can have a local executable named either `vi`, `vim`, or `nano` executed if running sops from `cmd.exe`\n\nThis attack is only viable if an attacker is able to place a malicious binary within the directory you are running sops from. As well, this attack will only work when using `cmd.exe` or the Windows C library [SearchPath function](https://docs.microsoft.com/en-us/windows/win32/api/processenv/nf-processenv-searchpatha). This is a result of these Windows tools including `.` within their `PATH` by default.\n\n**If you are using sops within untrusted directories on Windows via `cmd.exe`, please upgrade immediately** \n\n**As well, if you have `.` within your default $PATH, please upgrade immediately.**\n\nMore information can be found on the official Go blog: https://blog.golang.org/path-security\n\n### Patches\nThe problem has been resolved in v3.7.1\n\nNow, if Windows users using cmd.exe run into this issue, a warning message will be printed:\n`vim resolves to executable in current directory (.\\vim.exe)`\n\n### References\n* https://blog.golang.org/path-security\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a discussion in [sops](https://github.com/mozilla/sops/discussions)",
"id": "GHSA-x5c7-x7m2-rhmf",
"modified": "2021-05-20T16:50:13Z",
"published": "2021-05-20T16:50:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mozilla/sops/security/advisories/GHSA-x5c7-x7m2-rhmf"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Local directory executable lookup in sops (Windows-only)"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.