Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-24055: KeePass / Feature Requests / #2773 Improve the security of password exports

** DISPUTED ** KeePass through 2.53 (in a default installation) allows an attacker, who has write access to the XML configuration file, to obtain the cleartext passwords by adding an export trigger. NOTE: the vendor’s position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.

CVE

Why people trust keepass so they use it instead of a spreadsheet ? perhaps because it is supposed to provide additional security, simply by clicking on the ‘install’ button.
And how many know that by default a simple text editor (not a spyware) will configure keepass to export, the next time they open it, all passwords in clear text without notification or confirmation?

And above all why don’t you say on your homepage : "An attacker who has write access to the KeePass configuration file can modify it maliciously and can access all your passwords" ?

If you write "These attacks can only be prevented by keeping the environment secure", in this case why do I need keepass ?

Related news

KeePass Exploit Allows Attackers to Recover Master Passwords from Memory

A proof-of-concept (PoC) has been made available for a security flaw impacting the KeePass password manager that could be exploited to recover a victim's master password in cleartext under specific circumstances. The issue, tracked as CVE-2023-32784, impacts KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54, which is likely to be released early

KeePass Vulnerability Imperils Master Passwords

A newly discovered bug in the open source password manager, if exploited, lets attackers retrieve a target's master password — and proof-of-concept code is available.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907