Impact
Windows users using the sops direct editor option (sops file.yaml
) can have a local executable named either vi
, vim
, or nano
executed if running sops from cmd.exe
This attack is only viable if an attacker is able to place a malicious binary within the directory you are running sops from. As well, this attack will only work when using cmd.exe
or the Windows C library SearchPath function. This is a result of these Windows tools including .
within their PATH
by default.
If you are using sops within untrusted directories on Windows via cmd.exe
, please upgrade immediately
As well, if you have .
within your default $PATH, please upgrade immediately.
More information can be found on the official Go blog: https://blog.golang.org/path-security
Patches
The problem has been resolved in v3.7.1
Now, if Windows users using cmd.exe run into this issue, a warning message will be printed:
vim resolves to executable in current directory (.\vim.exe)
References
For more information
If you have any questions or comments about this advisory:
- Open a discussion in sops
Impact
Windows users using the sops direct editor option (
sops file.yaml
) can have a local executable named eithervi
,vim
, ornano
executed if running sops fromcmd.exe
This attack is only viable if an attacker is able to place a malicious binary within the directory you are running sops from. As well, this attack will only work when using
cmd.exe
or the Windows C library SearchPath function. This is a result of these Windows tools including.
within theirPATH
by default.If you are using sops within untrusted directories on Windows via
cmd.exe
, please upgrade immediatelyAs well, if you have
.
within your default $PATH, please upgrade immediately.More information can be found on the official Go blog: https://blog.golang.org/path-security
Patches
The problem has been resolved in v3.7.1
Now, if Windows users using cmd.exe run into this issue, a warning message will be printed:
vim resolves to executable in current directory (.\vim.exe)
References
For more information
If you have any questions or comments about this advisory: