Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a CVE vulnerability ID? 
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
New vulnerability? Tell us about it!
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
WS-2021-0116
Good to know:
Date: May 20, 2021
Mozilla Spos has a ocal directory executable lookup in sops (Windows-only). The problem has been resolved in v3.7.1. Windows users using the sops direct editor option (sops file.yaml) can have a local executable named either vi, vim, or nano executed if running sops from cmd.exe This attack is only viable if an attacker is able to place a malicious binary within the directory you are running sops from. As well, this attack will only work when using cmd.exe or the Windows C library SearchPath function. This is a result of these Windows tools including . within their PATH by default.
Language: Go
Severity Score
Severity Score
Weakness Type (CWE)
Untrusted Search Path
CWE-426Top Fix
CVSS v3
| Base Score: |
|
|---|---|
| Attack Vector (AV): | |
| Attack Complexity (AC): | |
| Privileges Required (PR): | |
| User Interaction (UI): | |
| Scope (S): | |
| Confidentiality (C): | PARTIAL |
| Integrity (I): | NONE |
| Availability (A): | NONE |