CVE-2018-12356 — CRITICAL (9.8)

Q: How severe is CVE-2018-12356?

CVE-2018-12356 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2018-12356?

Check the references section above for vendor advisories and patch information. Affected products include: Simple Password Store Project Simple Password Store.

Vulnerability Description

An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extension scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Simple Password Store Project	Simple Password Store	>= 1.7.0, < 1.7.2

Related Weaknesses (CWE)

CWE-347

References

http://openwall.com/lists/oss-security/2018/06/14/3Mailing ListThird Party Advisory
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.htmlThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2019/Apr/38Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/30/4Mailing ListThird Party Advisory
https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9PatchThird Party Advisory
https://github.com/RUB-NDS/Johnny-You-Are-Fired
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.p
https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.htmlMailing ListThird Party Advisory
http://openwall.com/lists/oss-security/2018/06/14/3Mailing ListThird Party Advisory
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.htmlThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2019/Apr/38Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/30/4Mailing ListThird Party Advisory
https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9PatchThird Party Advisory
https://github.com/RUB-NDS/Johnny-You-Are-Fired
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.p

FAQ

What is CVE-2018-12356?

CVE-2018-12356 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, w...

How severe is CVE-2018-12356?

CVE-2018-12356 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2018-12356?

Check the references section above for vendor advisories and patch information. Affected products include: Simple Password Store Project Simple Password Store.