CVE-2021-3013

Name of the Vulnerable Software and Affected Versions ripgrep versions prior to 13 grep-cli versions prior to 0.1.6

Description The issue allows attackers to trigger execution of arbitrary programs from the current working directory via the -z/--search-zip or --pre flag. This is possible due to a quirk of the Windows process execution API, which considers the current directory before other directories when resolving relative binary names. On Unix systems, this is only possible if the PATH variable contains '.'. A malicious actor could put a malicious binary in the current directory, which would be used instead of the system's version. The estimated number of potentially affected devices is not specified.

Recommendations For ripgrep versions prior to 13, update to version 13 or later to resolve the issue. For grep-cli versions prior to 0.1.6, update to version 0.1.6 or later, and consider using the resolve binary helper function to mitigate the issue when creating std::process::Command values on Windows. As a temporary workaround, consider constructing Command values with absolute binary names.