Arbitrary Code Execution Affecting go.mozilla.org/sops/v3/cmd/sops Open this link in a new tab package, versions <3.7.1
Attack Complexity
High
User Interaction
Required
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-GOLANG-GOMOZILLAORGSOPSV3CMDSOPS-1296103
-
published
21 May 2021
-
disclosed
20 May 2021
-
credit
RyotaK
Introduced: 20 May 2021
CWE-94 Open this link in a new tabHow to fix?
Upgrade go.mozilla.org/sops/v3/cmd/sops to version 3.7.1 or higher.
Overview
Affected versions of this package are vulnerable to Arbitrary Code Execution. Windows users using the sops direct editor option (sops file.yaml) can have a local executable named either vi, vim, or nano executed if running sops from cmd.exe.
This attack is only viable if an attacker is able to place a malicious binary within the directory from which you are running sops. Also, this attack is only possible when using cmd.exe or the Windows C library SearchPath function. This is a result of these Windows tools including . within their PATH by default.