Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg1YzcteDdtMi1yaG1m
Local directory executable lookup in sops (Windows-only)
Impact
Windows users using the sops direct editor option (sops file.yaml
) can have a local executable named either vi
, vim
, or nano
executed if running sops from cmd.exe
This attack is only viable if an attacker is able to place a malicious binary within the directory you are running sops from. As well, this attack will only work when using cmd.exe
or the Windows C library SearchPath function. This is a result of these Windows tools including .
within their PATH
by default.
If you are using sops within untrusted directories on Windows via cmd.exe
, please upgrade immediately
As well, if you have .
within your default $PATH, please upgrade immediately.
More information can be found on the official Go blog: https://blog.golang.org/path-security
Patches
The problem has been resolved in v3.7.1
Now, if Windows users using cmd.exe run into this issue, a warning message will be printed:
vim resolves to executable in current directory (.\vim.exe)
References
For more information
If you have any questions or comments about this advisory:
- Open a discussion in sops
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXg1YzcteDdtMi1yaG1m
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-x5c7-x7m2-rhmf
References:
- https://github.com/mozilla/sops/security/advisories/GHSA-x5c7-x7m2-rhmf
- https://github.com/advisories/GHSA-x5c7-x7m2-rhmf
Blast Radius: 0.0
Affected Packages
go:go.mozilla.org/sops/v3
Dependent packages: 204Dependent repositories: 199
Downloads:
Affected Version Ranges: < 3.7.1
Fixed in: 3.7.1
All affected versions: 3.4.0, 3.5.0, 3.6.0, 3.6.1, 3.7.0
All unaffected versions: 3.7.1, 3.7.2, 3.7.3, 3.8.0, 3.8.1