Headline
CVE-2023-35866: Insecure Two-Factor-Authentication settings modification · Issue #9391 · keepassxreboot/keepassxc
In KeePassXC through 2.7.5, a local attacker can make changes to the Database security settings, including master password and second-factor authentication, within an authenticated KeePassXC Database session, without the need to authenticate these changes by entering the password and/or second-factor authentication to confirm changes.
Overview
Having set up a YubiKey for my Two-Factor-Authentication i noticed that a confirmation through the set up second-factor is not required when making changes to security-settings within that KeePassXC-Database.
Steps to Reproduce
- In Database-settings/Security set up a YubiKey Challenge-Response
- Create a new Entry
- Confirm with YubiKey Challenge-Response
- Go back to Database-settings/Security
- Remove YubiKey Challenge-Response
Expected Behavior
Imperative authentication through YubiKey Challenge-Response when making security-related changes to database settings.
Actual Behavior
No Two-Factor-Authentication required, while it is set up.
Context
This is a similar but different issue like 9339.
KeePassXC - 2.7.4
Operating System: Linux