Vulnerability Details : CVE-2019-12171
Potential exploit
Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. These are not securely freed in the running process.
Products affected by CVE-2019-12171
- cpe:2.3:a:dropbox:dropbox:71.4.108.0:*:*:*:*:desktop:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-12171
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 28 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-12171
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
|
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2019-12171
-
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Assigned by: nvd@nist.gov (Primary)
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-12171
-
https://drive.google.com/open?id=1DCGurwRTu0HsUpTglVR0jgItZNqqDm_5
DropboxCredentialDump.mp4 - Google DriveExploit;Third Party Advisory
-
https://drive.google.com/open?id=1msz6pb08crPC0VT7s_Z_KTsKm9CbLJEXNsmRwzoNLy8
Dropbox Desktop Client Stores Credentials in Memory - Google DocumentenExploit;Third Party Advisory
Jump to