Description
An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extension scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.
References (8)
Core 8
Core References
Patch, Third Party Advisory x_refsource_misc
https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9fd61a30d
Mailing List, Third Party Advisory x_refsource_misc
http://openwall.com/lists/oss-security/2018/06/14/3
Mailing List, Third Party Advisory x_refsource_misc
https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/04/30/4
Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Apr/38
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html
Various Sources x_refsource_misc
https://github.com/RUB-NDS/Johnny-You-Are-Fired
Various Sources x_refsource_misc
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf
Scores
CVSS v3
9.8
EPSS
0.0465
EPSS Percentile
90.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-347
Status
published
Products (1)
simple_password_store_project/simple_password_store
1.7.0 - 1.7.2
Published
Jun 15, 2018
Tracked Since
Feb 18, 2026