Vulnerability Details : CVE-2023-36266
An issue was discovered in Keeper Password Manager for Desktop version 16.10.2, and the KeeperFill Browser Extensions version 16.5.4, allows local attackers to gain sensitive information via plaintext password storage in memory after the user is already logged in, and may persist after logout. NOTE: the vendor disputes this for two reasons: the information is inherently available during a logged-in session when the attacker can read from arbitrary memory locations, and information only remains available after logout because of memory-management limitations of web browsers (not because the Keeper technology itself is retaining the information).
Products affected by CVE-2023-36266
- cpe:2.3:a:keepersecurity:keeper:16.10.2:*:*:*:*:*:*:*
- cpe:2.3:a:keepersecurity:keeperfill:16.5.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-36266
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 13 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-36266
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2023-36266
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-36266
-
http://packetstormsecurity.com/files/173809/Keeper-Security-Desktop-16.10.2-Browser-Extension-16.5.4-Password-Dumper.html
Keeper Security Desktop 16.10.2 / Browser Extension 16.5.4 Password Dumper ≈ Packet Storm
-
https://harkenzo.tlstickle.com/2023-06-12-Keeper-Password-Dumping/
Third Party Advisory
Jump to