Skip to content

Local directory executable lookup in sops (Windows-only)

Low severity GitHub Reviewed Published Apr 22, 2021 in getsops/sops • Updated Jan 9, 2023

Package

gomod go.mozilla.org/sops/v3 (Go)

Affected versions

< 3.7.1

Patched versions

3.7.1

Description

Impact

Windows users using the sops direct editor option (sops file.yaml) can have a local executable named either vi, vim, or nano executed if running sops from cmd.exe

This attack is only viable if an attacker is able to place a malicious binary within the directory you are running sops from. As well, this attack will only work when using cmd.exe or the Windows C library SearchPath function. This is a result of these Windows tools including . within their PATH by default.

If you are using sops within untrusted directories on Windows via cmd.exe, please upgrade immediately

As well, if you have . within your default $PATH, please upgrade immediately.

More information can be found on the official Go blog: https://blog.golang.org/path-security

Patches

The problem has been resolved in v3.7.1

Now, if Windows users using cmd.exe run into this issue, a warning message will be printed:
vim resolves to executable in current directory (.\vim.exe)

References

For more information

If you have any questions or comments about this advisory:

  • Open a discussion in sops

References

@ajvb ajvb published to getsops/sops Apr 22, 2021
Reviewed May 20, 2021
Published to the GitHub Advisory Database May 20, 2021
Last updated Jan 9, 2023

Severity

Low

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-x5c7-x7m2-rhmf

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.