Vulnerability-Lookup

CNVD-2019-23987

Vulnerability from cnvd - Published: 2019-07-23

Title

Dropbox desktop application信息泄露漏洞

Description

Dropbox desktop application是美国Dropbox公司的一款开源的、跨平台的文件在线存储、同步、共享应用程序。 Dropbox desktop application 71.4.108.0版本中存在安全漏洞，该漏洞源于在完成登录或创建新账户时，Dropbox.exe文件（和Web Helper中的QtWebEngineProcess.exe文件）会将明文形式的凭证存储在内存中。攻击者可利用该漏洞完全控制账户。

Severity

中

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： https://www.dropbox.com/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-12171

Impacted products

Name
Dropbox Dropbox desktop application 71.4.108.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-12171"
    }
  },
  "description": "Dropbox desktop application\u662f\u7f8e\u56fdDropbox\u516c\u53f8\u7684\u4e00\u6b3e\u5f00\u6e90\u7684\u3001\u8de8\u5e73\u53f0\u7684\u6587\u4ef6\u5728\u7ebf\u5b58\u50a8\u3001\u540c\u6b65\u3001\u5171\u4eab\u5e94\u7528\u7a0b\u5e8f\u3002\n\nDropbox desktop application 71.4.108.0\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u5b8c\u6210\u767b\u5f55\u6216\u521b\u5efa\u65b0\u8d26\u6237\u65f6\uff0cDropbox.exe\u6587\u4ef6\uff08\u548cWeb Helper\u4e2d\u7684QtWebEngineProcess.exe\u6587\u4ef6\uff09\u4f1a\u5c06\u660e\u6587\u5f62\u5f0f\u7684\u51ed\u8bc1\u5b58\u50a8\u5728\u5185\u5b58\u4e2d\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5b8c\u5168\u63a7\u5236\u8d26\u6237\u3002",
  "discovererName": "unknwon",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttps://www.dropbox.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-23987",
  "openTime": "2019-07-23",
  "products": {
    "product": "Dropbox Dropbox desktop application 71.4.108.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-12171",
  "serverity": "\u4e2d",
  "submitTime": "2019-07-09",
  "title": "Dropbox desktop application\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2019-12171 (GCVE-0-2019-12171)

Vulnerability from cvelistv5 – Published: 2019-07-08 12:44 – Updated: 2024-08-04 23:10

Summary

Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. These are not securely freed in the running process.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://drive.google.com/open?id=1msz6pb08crPC0VT…	x_refsource_MISC
	https://drive.google.com/open?id=1DCGurwRTu0HsUpT…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:10:30.839Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://drive.google.com/open?id=1msz6pb08crPC0VT7s_Z_KTsKm9CbLJEXNsmRwzoNLy8"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://drive.google.com/open?id=1DCGurwRTu0HsUpTglVR0jgItZNqqDm_5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. These are not securely freed in the running process."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-07-08T12:44:11",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://drive.google.com/open?id=1msz6pb08crPC0VT7s_Z_KTsKm9CbLJEXNsmRwzoNLy8"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://drive.google.com/open?id=1DCGurwRTu0HsUpTglVR0jgItZNqqDm_5"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-12171",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Dropbox.exe (and QtWebEngineProcess.exe in the Web Helper) in the Dropbox desktop application 71.4.108.0 store cleartext credentials in memory upon successful login or new account creation. These are not securely freed in the running process."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://drive.google.com/open?id=1msz6pb08crPC0VT7s_Z_KTsKm9CbLJEXNsmRwzoNLy8",
              "refsource": "MISC",
              "url": "https://drive.google.com/open?id=1msz6pb08crPC0VT7s_Z_KTsKm9CbLJEXNsmRwzoNLy8"
            },
            {
              "name": "https://drive.google.com/open?id=1DCGurwRTu0HsUpTglVR0jgItZNqqDm_5",
              "refsource": "MISC",
              "url": "https://drive.google.com/open?id=1DCGurwRTu0HsUpTglVR0jgItZNqqDm_5"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-12171",
    "datePublished": "2019-07-08T12:44:11",
    "dateReserved": "2019-05-17T00:00:00",
    "dateUpdated": "2024-08-04T23:10:30.839Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-23987

CVE-2019-12171 (GCVE-0-2019-12171)

Tags

Sightings

Nomenclature