Arbitrary Code Execution Affecting go.mozilla.org/sops/v3/cmd/sops package, versions <3.7.1


0.0
medium
  • Attack Complexity

    High

  • User Interaction

    Required

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GOMOZILLAORGSOPSV3CMDSOPS-1296103

  • published

    21 May 2021

  • disclosed

    20 May 2021

  • credit

    RyotaK

How to fix?

Upgrade go.mozilla.org/sops/v3/cmd/sops to version 3.7.1 or higher.

Overview

Affected versions of this package are vulnerable to Arbitrary Code Execution. Windows users using the sops direct editor option (sops file.yaml) can have a local executable named either vi, vim, or nano executed if running sops from cmd.exe.

This attack is only viable if an attacker is able to place a malicious binary within the directory from which you are running sops. Also, this attack is only possible when using cmd.exe or the Windows C library SearchPath function. This is a result of these Windows tools including . within their PATH by default.