Vulnerability Details : CVE-2017-8296
kedpm 0.5 and 1.0 creates a history file in ~/.kedpm/history that is written in cleartext. All of the commands performed in the password manager are written there. This can lead to the disclosure of the master password if the "password" command is used with an argument. The names of the password entries created and consulted are also accessible in cleartext.
Products affected by CVE-2017-8296
- cpe:2.3:a:ked_password_manager_project:ked_password_manager:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:ked_password_manager_project:ked_password_manager:0.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-8296
0.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 49 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-8296
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-8296
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-8296
-
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860817
#860817 - kedpm: CVE-2017-8296: Information leak via the command history file - Debian Bug report logsIssue Tracking;Patch
-
https://security.gentoo.org/glsa/201708-04
Ked Password Manager: Information leak (GLSA 201708-04) — Gentoo security
-
http://openwall.com/lists/oss-security/2017/04/26/9
oss-security - kedpm: Information leak via the command history fileMailing List;Third Party Advisory
-
https://sourceforge.net/p/kedpm/bugs/6/
KED Password Manager / Bugs / #6 INFORMATION DISCLOSURE: command history file saved in clear text on diskIssue Tracking;Patch;Third Party Advisory
Jump to