Vulnerability Details : CVE-2023-24055
Potential exploit
KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.
Products affected by CVE-2023-24055
- cpe:2.3:a:keepass:keepass:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-24055
35.75%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-24055
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2023-24055
-
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-24055
-
https://sourceforge.net/p/keepass/feature-requests/2773/
KeePass / Feature Requests / #2773 Improve the security of password exportsThird Party Advisory
-
https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/
KeePass / Discussion / Open Discussion: someone can read the passwords using export triggerPatch;Third Party Advisory
-
https://securityboulevard.com/2023/01/keepass-password-manager-leak-cve-richixbw/
Another Password Manager Leak Bug: But KeePass Denies CVE - Security BoulevardThird Party Advisory
Jump to