CVE-2020-28086

EPSS 0.11%
Veröffentlicht 09.12.2020 19:15:11
Zuletzt bearbeitet 21.11.2024 05:22:19
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

pass through 1.7.3 has a possibility of using a password for an unintended resource. For exploitation to occur, the user must do a git pull, decrypt a password, and log into a remote service with the password. If an attacker controls the central Git server or one of the other members' machines, and also controls one of the services already in the password store, they can rename one of the password files in the Git repository to something else: pass doesn't correctly verify that the content of a file matches the filename, so a user might be tricked into decrypting the wrong password and sending that to a service that the attacker controls. NOTE: for environments in which this threat model is of concern, signing commits can be a solution.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zx2c4 ≫ Password-store Version <= 1.7.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.267

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://lists.zx2c4.com/pipermail/password-store/2014-March/000498.html

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-28086

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-28086

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-28086

EUVD