x/vulndb: potential Go vuln in go.mozilla.org/sops/v3: GHSA-x5c7-x7m2-rhmf

[GoVulnBot]

In GitHub Security Advisory GHSA-x5c7-x7m2-rhmf, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
go.mozilla.org/sops/v3	3.7.1	< 3.7.1

See doc/triage.md for instructions on how to triage this report.

package: go.mozilla.org/sops/v3
versions:
  - introduced: v0.0.0
    fixed: v3.7.1
description: "### Impact\nWindows users using the sops direct editor option (`sops
    file.yaml`) can have a local executable named either `vi`, `vim`, or `nano` executed
    if running sops from `cmd.exe`\n\nThis attack is only viable if an attacker is
    able to place a malicious binary within the directory you are running sops from.
    As well, this attack will only work when using `cmd.exe` or the Windows C library
    [SearchPath function](https://docs.microsoft.com/en-us/windows/win32/api/processenv/nf-processenv-searchpatha).
    This is a result of these Windows tools including `.` within their `PATH` by default.\n\n**If
    you are using sops within untrusted directories on Windows via `cmd.exe`, please
    upgrade immediately** \n\n**As well, if you have `.` within your default $PATH,
    please upgrade immediately.**\n\nMore information can be found on the official
    Go blog: https://blog.golang.org/path-security\n\n### Patches\nThe problem has
    been resolved in v3.7.1\n\nNow, if Windows users using cmd.exe run into this issue,
    a warning message will be printed:\n`vim resolves to executable in current directory
    (.\\vim.exe)`\n\n### References\n* https://blog.golang.org/path-security\n\n###
    For more information\nIf you have any questions or comments about this advisory:\n*
    Open a discussion in [sops](https://github.com/mozilla/sops/discussions)"
published: 2021-05-20T16:50:34Z
last_modified: 2021-05-20T16:50:34Z
ghsas:
  - GHSA-x5c7-x7m2-rhmf

[neild]

Vulnerability in tool.

[gopherbot]

Change https://go.dev/cl/592767 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607218 mentions this issue: data/reports: unexclude 20 reports (16)