CVE-2018-12356

Name of the Vulnerable Software and Affected Versions pass versions 1.7.x through 1.7.1

Description An issue in the password-store.sh script of Simple Password Store allows remote attackers to spoof file signatures on configuration files and extension scripts due to an incomplete regular expression in the signature verification routine. This can lead to the disclosure of passwords if an attacker modifies the configuration file to inject additional encryption keys. Furthermore, modifying the extension scripts can allow the attacker to execute arbitrary code.

Recommendations For pass versions 1.7.x through 1.7.1, update to version 1.7.2 or later to resolve the issue.