Strix
26.1K

CVE-2020-28086

HIGHCVSS 7.5/10EPSS 0.59%

Last modified

CVE-2020-28086 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. pass through 1.7.3 has a possibility of using a password for an unintended resource. For exploitation to occur, the user must do a git pull, decrypt a password, and log into a remote service with the password. EPSS estimates a 0.59% chance of exploitation in the next 30 days.

Description

pass through 1.7.3 has a possibility of using a password for an unintended resource. For exploitation to occur, the user must do a git pull, decrypt a password, and log into a remote service with the password. If an attacker controls the central Git server or one of the other members' machines, and also controls one of the services already in the password store, they can rename one of the password files in the Git repository to something else: pass doesn't correctly verify that the content of a file matches the filename, so a user might be tricked into decrypting the wrong password and sending that to a service that the attacker controls. NOTE: for environments in which this threat model is of concern, signing commits can be a solution.

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Probability
0.59%

43.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Zx2c4Password-Store<= 1.7.3

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2020-28086?
pass through 1.7.3 has a possibility of using a password for an unintended resource. For exploitation to occur, the user must do a git pull, decrypt a password, and log into a remote service with the password. If an attacker controls the central Git server or one of the other members' machines, and also controls one of the services already in the password store, they can rename one of the password files in the Git repository to something else: pass doesn't correctly verify that the content of a file matches the filename, so a user might be tricked into decrypting the wrong password and sending that to a service that the attacker controls. NOTE: for environments in which this threat model is of concern, signing commits can be a solution.
How severe is CVE-2020-28086?
CVE-2020-28086 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.59% probability of exploitation in the next 30 days.
How do I fix CVE-2020-28086?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-28086?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST