CVE-2019-1000001

Vulnerability

TeamPass version 2.1.27 and earlier contains a design flaw in how shared password vaults are encrypted. The encryption key for shared passwords is split between a file on the server and the database, and the user's own password is not used to protect shared vault keys [1][3]. This means the server-side material alone is sufficient to decrypt all shared passwords, requiring no per-user secret. The affected versions are all TeamPass releases up to and including 2.1.27 [1].

Exploitation

An attacker needs to bypass authentication or role assignment controls to gain access to the TeamPass interface [1]. Once access is obtained, no further decryption step requiring the victim's password is needed; the attacker can directly access any shared password stored in the vaults they can reach. The attack does not require physical access or privileged network position if the web interface is exposed [1][3].

Impact

Successful exploitation results in leakage of all shared passwords managed by TeamPass. The confidentiality of credentials stored in shared vaults is completely compromised. The attacker gains the ability to read credentials that may belong to different roles or users, as the encryption does not differentiate between roles [3]. This can lead to further compromise of downstream systems protected by those credentials.

Mitigation

Not yet disclosed in the available references. Users of TeamPass 2.1.27 and earlier should upgrade to a version newer than 2.1.27 if available. The project's GitHub repository (nilsteampassnet/TeamPass) should be monitored for security releases [2]. At the time of this writing, no fixed version has been identified in the provided references, and no workaround is documented.