CVE-2018-12356 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2018-12356 Interim 1 8 2025-02-17T02:46:01Z current 2021-05-30T14:14:08Z 2025-02-17T02:46:01Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2018-12356 An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extension scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 openSUSE Tumbleweed password-store-1.7.3-lp150.2.1 password-store-1.7.4-3.1 password-store-dmenu-1.7.3-lp150.2.1 password-store-dmenu-1.7.4-3.1 password-store-1.7.3-lp150.2.1 as a component of openSUSE Leap 15.0 password-store-dmenu-1.7.3-lp150.2.1 as a component of openSUSE Leap 15.0 password-store-1.7.4-3.1 as a component of openSUSE Tumbleweed password-store-dmenu-1.7.4-3.1 as a component of openSUSE Tumbleweed An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extension scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution. CVE-2018-12356 openSUSE Leap 15.0:password-store-1.7.3-lp150.2.1 openSUSE Leap 15.0:password-store-dmenu-1.7.3-lp150.2.1 openSUSE Tumbleweed:password-store-1.7.4-3.1 openSUSE Tumbleweed:password-store-dmenu-1.7.4-3.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H