heisec@social.heise.de - BSI warnt vor KeePassXC-Schwachstellen
Das BSI warnt vor Schwachstellen im Passwort-Manager KeePassXC. Angreifer können Dateien oder das Master-Passwort ohne Authentifzierungsrückfrage manipulieren.
[The BSI warns of vulnerabilities in the password manager KeePassXC. Attackers can manipulate files or the master password without authentication confirmation.]
- Veloxization ( @veloxization@yiffit.net ) English10•1 year ago
KeePassXC is not affected by this vulnerability.
Edit: Different issue.
- lowleveldata ( @lowleveldata@programming.dev ) 5•1 year ago
CVE-2023-32784
That’s not the issue mentioned in the article. Which is
CVE-2023-35866
.- Veloxization ( @veloxization@yiffit.net ) English1•1 year ago
gotcha
Added to original comment. Both are recent issues, so confusion is forgivable.
- Irisos ( @Irisos@lemmy.umainfo.live ) English3•1 year ago
This is also the vulnerability that made many people delete Keepass 2 for XC many months ago so it is very strange that they make an article that sounds like it’s a new vulnerability.
- dog ( @dog@suppo.fi ) English5•1 year ago
Wrong vulnerability. The discovered one is CVE-2023-35866, which is still pending verification* (analysis).
This affects KeePassXC. https://nvd.nist.gov/vuln/detail/CVE-2023-35866
- Irisos ( @Irisos@lemmy.umainfo.live ) English2•1 year ago
Thanks for the correction. In that case going to be interesting how this issue progress.
- sudo_su ( @laskobar@feddit.de ) 10•1 year ago
Lock the pc, if you leave and lock the db, if pc is locked, lid is closed and this is absolute a non-issue.
German BSI is sometimes a little bit over motivated ;-)
- NightDice ( @nightdice@feddit.de ) 1•1 year ago
You don’t even need to lock the pc, locking the db is sufficient. The issue allows changing the settings on unlocked databases without needing to re-confirm (at least according to the article).
- lowleveldata ( @lowleveldata@programming.dev ) 9•1 year ago
Can’t read German. What is required to perform this attack?
- lowleveldata ( @lowleveldata@programming.dev ) 12•1 year ago
Ok I checked it up (CVE-2023-35866). It basically says an attacker may export everything if they have access to your unlocked database. Which seems… obvious? The project contributors says it’s not a vulnerability which I incline to agree.
- interolivary ( @interolivary@beehaw.org ) 10•1 year ago
You mean to say that if I leave my door unlocked, somebody might come in? This is shocking news!
- eayeith697 ( @eayeith697@iusearchlinux.fyi ) 8•1 year ago
Here is KeePassXC’s response: https://keepassxc.org/blog/2023-06-20-cve-202335866
Basically some random guy with weird misconceptions about security decided this was an issue, it’s obviously not. Honestly concerning that he was able to easily get a CVE for this and even get articles about it published on some websites.
- flatbield ( @furrowsofar@beehaw.org ) 1•1 year ago
Do we know mechanism of access. You have to be on same users account or you have to be on same machine only as any user? If same users account, what do they expect? Anyone running as you has total access to your stuff anyway. Is there anyway around that?
Thoughts?