{"id":"GHSA-x5c7-x7m2-rhmf","summary":"Local directory executable lookup in sops (Windows-only)","details":"### Impact\nWindows users using the sops direct editor option (`sops file.yaml`) can have a local executable named either `vi`, `vim`, or `nano` executed if running sops from `cmd.exe`\n\nThis attack is only viable if an attacker is able to place a malicious binary within the directory you are running sops from. As well, this attack will only work when using `cmd.exe` or the Windows C library [SearchPath function](https://docs.microsoft.com/en-us/windows/win32/api/processenv/nf-processenv-searchpatha). This is a result of these Windows tools including `.` within their `PATH` by default.\n\n**If you are using sops within untrusted directories on Windows via `cmd.exe`, please upgrade immediately** \n\n**As well, if you have `.` within your default $PATH, please upgrade immediately.**\n\nMore information can be found on the official Go blog: https://blog.golang.org/path-security\n\n### Patches\nThe problem has been resolved in v3.7.1\n\nNow, if Windows users using cmd.exe run into this issue, a warning message will be printed:\n`vim resolves to executable in current directory (.\\vim.exe)`\n\n### References\n* https://blog.golang.org/path-security\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open a discussion in [sops](https://github.com/mozilla/sops/discussions)","aliases":["GO-2022-0410"],"modified":"2024-08-21T15:42:05.145523Z","published":"2021-05-20T16:50:34Z","database_specific":{"nvd_published_at":null,"github_reviewed":true,"severity":"LOW","github_reviewed_at":"2021-05-20T16:50:13Z","cwe_ids":[]},"references":[{"type":"WEB","url":"https://github.com/mozilla/sops/security/advisories/GHSA-x5c7-x7m2-rhmf"}],"affected":[{"package":{"name":"go.mozilla.org/sops/v3","ecosystem":"Go","purl":"pkg:golang/go.mozilla.org/sops/v3"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"3.7.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-x5c7-x7m2-rhmf/GHSA-x5c7-x7m2-rhmf.json"}}],"schema_version":"1.7.3"}