cbcvebase.
CVE-2018-12356
published 2018-06-15

CVE-2018-12356: An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG…

PriorityP260critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
4.65%
90.6th percentile
An issue was discovered in password-store.sh in pass in Simple Password Store 1.7.x before 1.7.2. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extension scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianpassword-store< password-store 1.7.2-1 (bookworm)password-store 1.7.2-1 (bookworm)
simple_password_store_projectsimple_password_store>= 1.7.0 < 1.7.21.7.2

Detection & IOCsextracted from sources · hover to see the quote

pathpassword-store.sh
  • The vulnerability lies in the signature verification routine of password-store.sh, which uses an incomplete regular expression to parse GnuPG output — monitor for GPG signature verification bypass attempts against pass configuration files or extension scripts.
  • Detect unauthorized injection of additional GPG encryption keys into the pass configuration file, which would allow an attacker to receive copies of encrypted passwords.
  • Monitor pass extension scripts for unauthorized modification, as exploitation can lead to arbitrary code execution via tampered extension scripts.
  • Detailed technical write-up of the signature spoofing technique is available at the NeoPG blog — review for specific GnuPG output patterns that bypass the incomplete regex.
  • ·Only pass versions 1.7.x through 1.7.1 are affected; version 1.7.2 and later contain the fix. Ensure deployed instances are running 1.7.2 or higher.
  • ·The attack vector is remote (spoofed file signatures delivered to the client), despite Debian's tracker listing scope as local — treat as remotely exploitable in threat modelling.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.