Search for vulnerabilities
Vulnerability details: VCID-33s1-qjaz-aaap
Vulnerability ID VCID-33s1-qjaz-aaap
Aliases CVE-2018-12356
Summary An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extension scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-347 Improper Verification of Cryptographic Signature
System Score Found at
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02859 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02916 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.02968 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.09868 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.09868 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.09868 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.09868 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.09868 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.09868 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.09868 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.09868 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.09868 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.17596 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.17596 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.17596 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
epss 0.17596 https://api.first.org/data/v1/epss?cve=CVE-2018-12356
cvssv3 7.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 7.5 https://nvd.nist.gov/vuln/detail/CVE-2018-12356
cvssv3 9.8 https://nvd.nist.gov/vuln/detail/CVE-2018-12356
archlinux High https://security.archlinux.org/AVG-720
archlinux Critical https://security.archlinux.org/AVG-727
Reference id Reference type URL
http://openwall.com/lists/oss-security/2018/06/14/3
http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html
https://api.first.org/data/v1/epss?cve=CVE-2018-12356
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12356
http://seclists.org/fulldisclosure/2019/Apr/38
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/RUB-NDS/Johnny-You-Are-Fired
https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf
https://git.zx2c4.com/password-store/commit/?id=8683403b77f59c56fcb1f05c61ab33b9fd61a30d
https://lists.zx2c4.com/pipermail/password-store/2018-June/003308.html
http://www.openwall.com/lists/oss-security/2019/04/30/4
901574 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901574
ASA-201806-11 https://security.archlinux.org/ASA-201806-11
ASA-201806-14 https://security.archlinux.org/ASA-201806-14
AVG-720 https://security.archlinux.org/AVG-720
AVG-727 https://security.archlinux.org/AVG-727
cpe:2.3:a:simple_password_store_project:simple_password_store:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:simple_password_store_project:simple_password_store:*:*:*:*:*:*:*:*
CVE-2018-12356 https://nvd.nist.gov/vuln/detail/CVE-2018-12356
No exploits are available.
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2018-12356
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-12356
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.85537
EPSS Score 0.02859
Published At May 16, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.