CVE-2020-28086

Name of the Vulnerable Software and Affected Versions pass versions 1.7.3 and earlier

Description The issue allows an attacker to potentially use a password for an unintended resource. For exploitation to occur, a user must perform a git pull, decrypt a password, and log into a remote service with the password. If an attacker controls the central Git server or one of the other members' machines and also controls one of the services already in the password store, they can rename one of the password files in the Git repository to something else. This is possible because pass does not correctly verify that the content of a file matches the filename, so a user might be tricked into decrypting the wrong password and sending that to a service that the attacker controls.

Recommendations For pass version 1.7.3 and earlier, consider signing commits as a solution to mitigate the risk of exploitation. This can help ensure the integrity of the Git repository and prevent attackers from renaming password files. Additionally, users should be cautious when decrypting passwords and logging into remote services to minimize the risk of sending incorrect passwords to services controlled by attackers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.