TROYANOSYVIRUS
Volver a CVEs

CVE-2018-12356

N/A

Descripcion

An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extension scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.

Detalles CVE

Puntuacion CVSS v3.1N/A
Publicado6/15/2018
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0

Productos afectados

simple_password_store_project:simple_password_store

Debilidades (CWE)

CWE-347

Referencias

http://openwall.com/lists/oss-security/2018/06/14/3(cve@mitre.org)
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html(cve@mitre.org)
http://seclists.org/fulldisclosure/2019/Apr/38(cve@mitre.org)
http://www.openwall.com/lists/oss-security/2019/04/30/4(cve@mitre.org)
https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9fd61a30d(cve@mitre.org)
https://github.com/RUB-NDS/Johnny-You-Are-Fired(cve@mitre.org)
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf(cve@mitre.org)
https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html(cve@mitre.org)
http://openwall.com/lists/oss-security/2018/06/14/3(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html(af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2019/Apr/38(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2019/04/30/4(af854a3a-2127-422b-91ae-364da2661108)
https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9fd61a30d(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/RUB-NDS/Johnny-You-Are-Fired(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf(af854a3a-2127-422b-91ae-364da2661108)
https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.