ALT-PU-2024-12934-3

Package update keepass in branch p9

Version2.54-alt0.p10.1

Published2024-12-05

Max severityHIGH

Severity:

Closed issues (4)

HIGH7.5

Уязвимость текстового поля для ввода пароля менеджера паролей KeePass, связанная с хранением учетных данных в незашифрованном виде, позволяющая нарушителю восстановить мастер-пароль в открытом виде

Published: 2023-06-13

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N

References

CVE-2023-32784

MEDIUM5.5

Уязвимость менеджера паролей KeePass, связанная с незашифрованным хранением критичной информации, позволяющая нарушителю получить пароли в открытом виде

Published: 2023-11-11Modified: 2024-11-02

CVSS 3.xMEDIUM 5.5

CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS 2.0MEDIUM 4.9

CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:N/A:N

References

CVE-2023-24055

MEDIUM5.5

KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.

Published: 2023-01-22Modified: 2024-11-21

CVSS 3.xMEDIUM 5.5

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References

HIGH7.5

In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.

Published: 2023-05-15Modified: 2025-01-23

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References