Vulnerability Details : CVE-2023-38840
Bitwarden Desktop 2023.7.0 and below allows an attacker with local access to obtain sensitive information via the Bitwarden.exe process.
Products affected by CVE-2023-38840
- cpe:2.3:a:bitwarden:bitwarden:*:*:*:*:desktop:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-38840
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-38840
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
References for CVE-2023-38840
-
https://github.com/bitwarden/clients/pull/5813
[PM-1898] Change desktop reload to `forcefullyCrashRenderer` by Hinton · Pull Request #5813 · bitwarden/clients · GitHubPatch;Third Party Advisory
-
https://github.com/markuta/bw-dump
GitHub - markuta/bw-dump: A proof-of-concept that extracts plaintext master passwords from a locked Bitwarden vault.Third Party Advisory
-
https://github.com/bitwarden/desktop/issues/476
Erase Master Password in memory after login · Issue #476 · bitwarden/desktop · GitHubIssue Tracking;Third Party Advisory
-
https://redmaple.tech/blogs/2023/extract-bitwarden-vault-passwords/
Hunting for Bitwarden master passwords stored in memory | Red Maple TechnologiesThird Party Advisory
Jump to