cvelistv5 - cve-2023-32784

CVE-2023-32784 (GCVE-0-2023-32784)

Vulnerability from cvelistv5

Published

2023-05-15 00:00

Modified

2025-01-23 19:29

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

Summary

In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.

References

URL

	Vendor	Product	Version
	n/a	n/a	Version: n/a

opensuse-su-2024:12982-1

Vulnerability from csaf_opensuse

Published

2024-06-15 00:00

Modified

2024-06-15 00:00

Summary

keepass-2.54-1.1 on GA media

Notes

Title of the patch

keepass-2.54-1.1 on GA media

Description of the patch

These are all security issues fixed in the keepass-2.54-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-12982

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "keepass-2.54-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the keepass-2.54-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-12982",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12982-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-32784 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-32784/"
      }
    ],
    "title": "keepass-2.54-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:12982-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "keepass-2.54-1.1.aarch64",
                "product": {
                  "name": "keepass-2.54-1.1.aarch64",
                  "product_id": "keepass-2.54-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "keepass-2.54-1.1.ppc64le",
                "product": {
                  "name": "keepass-2.54-1.1.ppc64le",
                  "product_id": "keepass-2.54-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "keepass-2.54-1.1.s390x",
                "product": {
                  "name": "keepass-2.54-1.1.s390x",
                  "product_id": "keepass-2.54-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "keepass-2.54-1.1.x86_64",
                "product": {
                  "name": "keepass-2.54-1.1.x86_64",
                  "product_id": "keepass-2.54-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "keepass-2.54-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:keepass-2.54-1.1.aarch64"
        },
        "product_reference": "keepass-2.54-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "keepass-2.54-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:keepass-2.54-1.1.ppc64le"
        },
        "product_reference": "keepass-2.54-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "keepass-2.54-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:keepass-2.54-1.1.s390x"
        },
        "product_reference": "keepass-2.54-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "keepass-2.54-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:keepass-2.54-1.1.x86_64"
        },
        "product_reference": "keepass-2.54-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-32784",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-32784"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:keepass-2.54-1.1.aarch64",
          "openSUSE Tumbleweed:keepass-2.54-1.1.ppc64le",
          "openSUSE Tumbleweed:keepass-2.54-1.1.s390x",
          "openSUSE Tumbleweed:keepass-2.54-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-32784",
          "url": "https://www.suse.com/security/cve/CVE-2023-32784"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1211397 for CVE-2023-32784",
          "url": "https://bugzilla.suse.com/1211397"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:keepass-2.54-1.1.aarch64",
            "openSUSE Tumbleweed:keepass-2.54-1.1.ppc64le",
            "openSUSE Tumbleweed:keepass-2.54-1.1.s390x",
            "openSUSE Tumbleweed:keepass-2.54-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:keepass-2.54-1.1.aarch64",
            "openSUSE Tumbleweed:keepass-2.54-1.1.ppc64le",
            "openSUSE Tumbleweed:keepass-2.54-1.1.s390x",
            "openSUSE Tumbleweed:keepass-2.54-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-32784"
    }
  ]
}

opensuse-su-2023:0157-1

Vulnerability from csaf_opensuse

Published

2023-06-27 18:21

Modified

2023-06-27 18:21

Summary

Security update for keepass

Notes

Title of the patch

Security update for keepass

Description of the patch

This update for keepass fixes the following issues: Update to 2.54 * Security: + Improved process memory protection of secure edit controls (CVE-2023-32784, boo#1211397). * New Features: + Triggers, global URL overrides, password generator profiles and a few more settings are now stored in the enforced configuration file. + Added dialog 'Enforce Options (All Users)' (menu 'Tools' → 'Advanced Tools' → 'Enforce Options'), which facilitates storing certain options in the enforced configuration file. + In report dialogs, passwords (and other sensitive data) are now hidden using asterisks by default (if hiding is activated in the main window); the hiding can be toggled using the new '***' button in the toolbar. + The 'Print' command in most report dialogs now requires the 'Print' application policy flag, and the master key must be entered if the 'Print - No Key Repeat' application policy flag is deactivated. + The 'Export' command in most report dialogs now requires the 'Export' application policy flag, and the master key must be entered. + Single line edit dialogs now support hiding the value using asterisks. + Commands that require elevation now have a shield icon like on Windows. + TrlUtil: added 'Move Selected Unused Text to Dialog Control' command. * Improvements: * The content mode of the configuration elements '/Configuration/Application/TriggerSystem', '/Configuration/Integration/UrlSchemeOverrides' and '/Configuration/PasswordGenerator/UserProfiles' is now 'Replace' by default. * The built-in override for the 'ssh' URI scheme is now deactivated by default (it can be activated in the 'URL Overrides' dialog). * When opening the password generator dialog without a derived profile, the '(Automatically generated passwords for new entries)' profile is now selected by default, if profiles are enabled (otherwise the default profile is used). * The clipboard workarounds are now disabled by default (they are not needed anymore on most systems). * Improved clipboard clearing. * Improved starting of an elevated process. * Bugfixes: + In report dialogs, the 'Print' and 'Export' commands now always use the actual data (in previous versions, asterisks were printed/exported when the application policy flag 'Unhide Passwords' was turned off). - Update to 2.53.1 * When testing a KDF ('Test' button in the database settings dialog), KeePass now spawns a child process that performs the KDF computation (which allows to cancel the test more cleanly in the case of excessive parameters; security is unaffected, because dummy data is used for the test). * Removed the 'Export - No Key Repeat' application policy flag; KeePass now always asks for the current master key when trying to export data. * Minor other improvements. - Update to 2.53 * New Features: + For each entry listed on the 'History' tab page of the entry dialog, the fields modified with respect to the previous entry are displayed. + Added 'Compare' button on the 'History' tab page of the entry dialog; when two (not necessarily consecutive) history entries are selected, clicking the button shows a detailed comparison (with values, etc.). + When editing an entry, the history entry list of the entry dialog now contains an entry called 'Dialog (unsaved)', which represents all data entered in the current dialog (other tab pages). + When editing an entry, the history entry list of the entry dialog now contains an entry called 'Current (TIME)', which is the entry that is currently stored in the database (without any changes made in the current dialog). + Added 'History' command in the 'Find' main menu; it lists all entry modifications (sorted by time). + Added filter box in most report dialogs (last modified entries, history, large entries, similar password clusters, password quality, history entry comparison, database file search, ...). + Added 'Print' button in most report dialogs. + Added 'Export' button in most report dialogs; supported formats are CSV and HTML. + Added {EDGE} placeholder, which is replaced by the executable path of the new (Chromium-based) Microsoft Edge, if installed. + Added URL override suggestion for Microsoft Edge in private mode in the URL override suggestions drop-down list of the entry dialog. + Added optional built-in global URL overrides for opening HTTP/HTTPS URLs with Microsoft Edge in private mode. + When trying to rearrange entries while automatic sorting is activated, KeePass now asks whether to deactivate automatic sorting. + Added access keys in the tags button drop-down menu of the entry/group dialogs. + Added access keys in the 'View' → 'Sort By' menu. + Added access keys in the entry templates menu. + Added access keys in the 'Perform Auto-Type' menu (which is displayed if the 'Show additional auto-type menu commands' option is turned on). + Added {HMACOTP} and {TIMEOTP} in the 'Perform Auto-Type' menu. + Added keyboard shortcut Ctrl+T for the 'Copy Time-Based OTP' entry data command. + Added keyboard shortcut Ctrl+Shift+T for the 'Show Time-Based OTP' entry data command. + Enhanced Password Depot XML import module to support the new format (added support for the new node names, group icons, recycle bin, tags, favorites, auto-type delay conversion, history, enhanced icon mapping, enhanced date/time parsing, ...). + Added border for headings in HTML exports/printouts. + Added support for running KeePass in FIPS mode. * Improvements: + History entries listed on the 'History' tab page of the entry dialog are now sorted from newest to oldest. + The icons in the list on the 'History' tab page of the entry dialog now indicate the type of the entry. + History entry controls of the entry dialog are now disabled when creating a new entry. + The history entry 'Restore' button is now disabled when any change has been made in the current dialog. + The 'Password modified' time is now updated immediately when deleting a history entry. + Improved URL override suggestion for Microsoft Edge in the URL override suggestions drop-down list of the entry dialog (changed from 'microsoft-edge:{URL}' to 'cmd://{EDGE} '{URL}''). + Improved optional built-in global URL overrides for opening HTTP/HTTPS URLs with Microsoft Edge (changed from 'microsoft-edge:{BASE}' to 'cmd://{EDGE} '{BASE}''). + Reordered web browser URL overrides alphabetically. + Improved dynamic menu item access key assignment. + Improved item separation in the entry details view. + In most places, groups in a group path are now separated by right arrows instead of hyphens. + Improved last modification time comparison for plugin data dictionaries. + Unified generation of common HTML parts. + The 'Copy Initial Password' command in the 'Tools' menu of the entry dialog now requires the 'Copy' application policy flag. + Various UI text improvements. + Various code optimizations. + Minor other improvements. * Bugfixes: + The history entry 'Restore' button now always works as expected. - Update to 2.52 * New Features: + Added 'Copy Initial Password' command in the tools menu of the entry dialog; it copies (to the clipboard) the password that was current when the dialog was opened. + When multiple entries are selected (containing at least one attachment), the number of attachments is now displayed in the 'Attachments' submenu of the entry menu. + Added option 'Alt. item background color' (supporting the states 'Off', 'On, default color' and 'On, custom color'); this combines the previous two options 'Use alternating item background colors' and 'Custom alt. item color'. + Comment placeholders ({C:...}) may now contain balanced braces. + In the auto-type entry selection dialog, values in the 'Sequence - Comments' column are dereferenced now. + The time when the password of an entry was last changed is now displayed in the entry dialog on the 'History' tab page. + Added support for importing 1Password 8.7 1PUX files. + Added support for importing Key Folder 1.22 XML files. + Sticky Password XML import: added support for importing groups and expiry dates. + Steganos Password Manager CSV import: added support for the new encoding of double quotes. + Bitwarden JSON import: time-based one-time password generator settings are converted automatically now. + KeePass now checks the 'KeePass.exe.config' file and shows a warning message when finding a problem. + For development builds: added command for showing GC information. + Plugins can now load the header of a database file more easily. + Plugins can now subscribe to a master key change event. + TrlUtil: added workaround for .NET tab control focus bug. * Improvements: + Moved the command 'Save Attached File(s) To' into the 'Attachments' submenu of the entry menu and renamed it to 'Save File(s) To'. + The command for saving attached files is now available only if at least one of the selected entries has at least one attachment. + The {APPACTIVATE ...} auto-type command now ignores the options 'Cancel auto-type when the target window changes' and 'Cancel auto-type when the target window title changes'. + {APPACTIVATE ...} auto-type command: if the specified window does not exist or cannot be focused, auto-type is aborted now. + Unified creation of fields with indices. + Improved database modification state and UI updating after imports/synchronizations. + In the master key creation/prompt dialogs, the [OK] button is now disabled when checking the 'Key file/provider' check box and selecting '(None)' in the combo box. + Improved drop-down menu width adjustment for certain combo boxes in the options dialog. + Improved hashing performance of protected binaries, UUIDs, ... + Performance improvements related to empty arrays. + Improved Mono framework version detection. + TrlUtil: improved preview dialog update performance. + Various UI text improvements. + Various code optimizations. + Minor other improvements. * Bugfixes: * Fixed a bug that caused a minimized main window to be restored to a normal window instead of a maximized window in certain situations. * The 'Help' menu item in the entry dialog and the 'Help' button in the entry string field dialog now open the correct help sections. - Update to 2.51.1 * New Features: + Most dialogs with fixed size now detect whether they fit onto the current screen, and when a dialog does not fit (e.g. due to a very high DPI factor), its size is reduced and scroll bars are displayed. + Added plural entry command names in the main window (e.g. the command for editing the currently selected entry/entries is now called either 'Edit Entry' or 'Edit Entries', depending on the number of selected entries). + Added tooltip for the main part of the status bar of the main window. + Enhanced color buttons (tooltips, accessible names, ...) in the entry dialog, in the database settings dialog and in the options dialog. + Added 'Interface (2)' tab page in the options dialog, renamed the existing 'Interface' tab page to 'Interface (1)', moved some controls from 'Interface (1)' to 'Interface (2)'. + Enhanced font selection controls (with a checkbox that allows to return to the default, the button shows the currently selected font, tooltip, improved accessibility, ...) in the options dialog. + Added help links 'Dark theme' and 'Main font (size)' in the options dialog. + The options 'Custom alt. item color' and 'Esc keypress in main window' are now disabled if they are enforced (by an enforced configuration file). + Added support for opening URLs with Waterfox in private mode. + Added dialog for editing (HMAC-based and time-based) one-time password generator settings (can be opened using the 'OTP Generator Settings' commands in the entry dialog or in the 'Edit Entry (Quick)' menu of the main window). + Added entry commands 'Copy HMAC-Based OTP', 'Show HMAC-Based OTP', 'Copy Time-Based OTP' and 'Show Time-Based OTP' (in the 'Other Data' menu). + Added entry commands 'Copy Title' and 'Copy Notes' (in the 'Other Data' menu). + When switching to the 'Generate' tab page of the password generator dialog (no database open), the entropy collection dialog is displayed now, if the option 'Show dialog for collecting user input as additional entropy' is turned on. + Added option 'Colorize password characters' in the HTML export/print dialog; the colors are customizable. + Added options 'Custom main font' and 'Custom password font' in the HTML export/print dialog. + Added horizontal entry separator lines in tabular HTML exports/printouts. + In the plugins dialog, the 'Delete old files from cache automatically' option and the 'Clear' button are now disabled if they are enforced (by an enforced configuration file). + Plugins can now change the expiry date of an entry more easily. * Improvements: + Improved main window initialization performance. + Improved initial emergence of a minimized or maximized main window (less flickering, improved performance, ...). + Improved names/tooltips of the database toolbar buttons in the main window. + Improved handling of bold/italic list fonts. + Improved entry list update performance in certain situations. + Improved dynamic menu deconstruction performance. + Fields starting with 'HmacOtp-' or 'TimeOtp-' are not shown in the entry string copy menu anymore. + Improved tooltips and accessibility of password repetition text boxes. + When a dark theme is active, the error background color of text boxes is darker now. + Improved accessibility of expiry control groups. + The title of the master key creation/change dialog is now adjusted to the context. + Improved 'Compression' tab page of the database settings dialog (extended 'None' option description, improved accessibility, ...). + If no color has been specified, the 'Custom alt. item color' button in the options dialog now shows the default color. + Improved HTML generation for HTML exports/printouts. + Improved default fonts used when printing or exporting to HTML. + In block HTML exports/printouts, field names are not italic anymore (unless the user has selected an italic main font). + In HTML exports/printouts, all field values except passwords are trimmed now. + HTML exports/printouts: improved encoding of white-space characters in passwords. + Improved horizontal entry separator lines in block HTML exports/printouts. + TrlUtil: improved control classification. + Increased Authenticode certificate key length. + Improved entry list update performance when duplicating entries. + Various CHM/help improvements. + Various UI text improvements. + Various code optimizations. + Minor other improvements. * Bugfixes: + The option 'Use alternating item background colors' is now compatible with automatic sorting again. + The command line parameter '-preselect:' now works as expected when the option 'Clear master key command line parameters after using them once' is turned on. + Font selections in the options dialog are now applied only when closing the dialog with [OK]. + Fixed an entry list scrolling bug. - Update to 2.50 * New Features: + On most Linux systems, AES-KDF is now about 4 times as fast as before, if the 'libgcrypt' library is installed. + On most Linux systems, Argon2d and Argon2id are now about 3 times as fast as before (for default parameters), if the 'libargon2' library is installed. + The option 'Enter master key on secure desktop' is now also supported by master key prompt dialogs shown during imports, confirmations (before exporting, printing, changing the master key, ...) and trigger actions. + The option 'Enter master key on secure desktop' is now also supported by master key creation/change dialogs. + The key file/provider combo boxes in the master key dialogs now have a tooltip that shows the current value, if the value is very long. + Added password generation button in the entry string field dialog. + When double-clicking the title cell of an entry in the main entry list while holding down the Shift key, the title is now copied to the clipboard. + Added support for detecting the latest versions of Chromium on Unix-like systems (for 'Open with ...' commands in the 'URL(s)' menu, for the {GOOGLECHROME} placeholder, ...). + In the 'URL(s)' menu, there now are separate commands for Google Chrome and Chromium, if both are installed. + Enhanced support for detecting Vivaldi, Brave, Pale Moon and Epiphany. + Added support for importing Kaspersky Password Manager 9.0.2 TXT files. + Bitwarden import module: added support for importing subfolders, and collection names are now imported as tags. + In the 'About KeePass' dialog, each item in the components list now has a tooltip that shows the file/folder path of the component, if it is installed. + In the 'About KeePass' dialog, a double-click onto a component now shows the component file/folder with the file manager. + In the 'About KeePass' dialog, the components list now has a context menu that provides the following new commands: 'Show with File Manager', 'Copy Version/Status' and 'Copy Path'. * Improvements: + If the option 'An entry matches if one of its tags is contained in the target window title' is turned on, auto-type now additionally considers tags inherited from groups. + The built-in password generation patterns 'Hex Key - *-Bit' now use upper-case hexadecimal symbols. + Improved Spr variance check of the password generator (custom string references, ...). + All commands in the password generator menu (shown by the password generator buttons in entry/string dialogs) support the option 'Show dialog for collecting user input as additional entropy' now. * Bugfixes: + Column header context menus are not shown for non-report list views anymore. + When copying a URL to the clipboard fails, the main entry list is updated now. + Toggling the password generator option 'Show dialog for collecting user input as additional entropy' now causes a switch to the '(Custom)' profile. + In the TAN wizard dialog, group names containing ampersands are displayed correctly now. - Add recommends to libargon2-1 and libgrypt20 as Keepass can use those for faster operations.

Patchnames

openSUSE-2023-157

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for keepass",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for keepass fixes the following issues:\n\nUpdate to 2.54\n\n  * Security:\n\n    + Improved process memory protection of secure edit controls (CVE-2023-32784, boo#1211397).\n\n  * New Features:\n\n    + Triggers, global URL overrides, password generator profiles and a few more settings are now stored in the enforced configuration file.\n    + Added dialog \u0027Enforce Options (All Users)\u0027 (menu \u0027Tools\u0027 \u2192 \u0027Advanced Tools\u0027 \u2192 \u0027Enforce Options\u0027), which facilitates storing certain options in the enforced configuration file.\n    + In report dialogs, passwords (and other sensitive data) are now hidden using asterisks by default (if hiding is activated in the main window); the hiding can be toggled using the new \u0027***\u0027 button in the toolbar.\n    + The \u0027Print\u0027 command in most report dialogs now requires the \u0027Print\u0027 application policy flag, and the master key must be entered if the \u0027Print - No Key Repeat\u0027 application policy flag is deactivated.\n    + The \u0027Export\u0027 command in most report dialogs now requires the \u0027Export\u0027 application policy flag, and the master key must be entered.\n    + Single line edit dialogs now support hiding the value using asterisks.\n    + Commands that require elevation now have a shield icon like on Windows.\n    + TrlUtil: added \u0027Move Selected Unused Text to Dialog Control\u0027 command.\n  * Improvements:\n    * The content mode of the configuration elements \u0027/Configuration/Application/TriggerSystem\u0027, \u0027/Configuration/Integration/UrlSchemeOverrides\u0027 and \u0027/Configuration/PasswordGenerator/UserProfiles\u0027 is now \u0027Replace\u0027 by default.\n    * The built-in override for the \u0027ssh\u0027 URI scheme is now deactivated by default (it can be activated in the \u0027URL Overrides\u0027 dialog).\n    * When opening the password generator dialog without a derived profile, the \u0027(Automatically generated passwords for new entries)\u0027 profile is now selected by default, if profiles are enabled (otherwise the default profile is used).\n    * The clipboard workarounds are now disabled by default (they are not needed anymore on most systems).\n    * Improved clipboard clearing.\n    * Improved starting of an elevated process.\n\n  * Bugfixes:\n\n    + In report dialogs, the \u0027Print\u0027 and \u0027Export\u0027 commands now always use the actual data (in previous versions, asterisks were printed/exported when the application policy flag \u0027Unhide Passwords\u0027 was turned off).\n\n- Update to 2.53.1\n\n  * When testing a KDF (\u0027Test\u0027 button in the database settings dialog), KeePass now spawns a child process that performs the KDF computation (which allows to cancel the test more cleanly in the case of excessive parameters; security is unaffected, because dummy data is used for the test).\n  * Removed the \u0027Export - No Key Repeat\u0027 application policy flag; KeePass now always asks for the current master key when trying to export data.\n  * Minor other improvements.\n\n- Update to 2.53\n\n  * New Features:\n\n    + For each entry listed on the \u0027History\u0027 tab page of the entry dialog, the fields modified with respect to the previous entry are displayed.\n    + Added \u0027Compare\u0027 button on the \u0027History\u0027 tab page of the entry dialog; when two (not necessarily consecutive) history entries are selected, clicking the button shows a detailed comparison (with values, etc.).\n    + When editing an entry, the history entry list of the entry dialog now contains an entry called \u0027Dialog (unsaved)\u0027, which represents all data entered in the current dialog (other tab pages).\n    + When editing an entry, the history entry list of the entry dialog now contains an entry called \u0027Current (TIME)\u0027, which is the entry that is currently stored in the database (without any changes made in the current dialog).\n    + Added \u0027History\u0027 command in the \u0027Find\u0027 main menu; it lists all entry modifications (sorted by time).\n    + Added filter box in most report dialogs (last modified entries, history, large entries, similar password clusters, password quality, history entry comparison, database file search, ...).\n    + Added \u0027Print\u0027 button in most report dialogs.\n    + Added \u0027Export\u0027 button in most report dialogs; supported formats are CSV and HTML.\n    + Added {EDGE} placeholder, which is replaced by the executable path of the new (Chromium-based) Microsoft Edge, if installed.\n    + Added URL override suggestion for Microsoft Edge in private mode in the URL override suggestions drop-down list of the entry dialog.\n    + Added optional built-in global URL overrides for opening HTTP/HTTPS URLs with Microsoft Edge in private mode.\n    + When trying to rearrange entries while automatic sorting is activated, KeePass now asks whether to deactivate automatic sorting.\n    + Added access keys in the tags button drop-down menu of the entry/group dialogs.\n    + Added access keys in the \u0027View\u0027 \u2192 \u0027Sort By\u0027 menu.\n    + Added access keys in the entry templates menu.\n    + Added access keys in the \u0027Perform Auto-Type\u0027 menu (which is displayed if the \u0027Show additional auto-type menu commands\u0027 option is turned on).\n    + Added {HMACOTP} and {TIMEOTP} in the \u0027Perform Auto-Type\u0027 menu.\n    + Added keyboard shortcut Ctrl+T for the \u0027Copy Time-Based OTP\u0027 entry data command.\n    + Added keyboard shortcut Ctrl+Shift+T for the \u0027Show Time-Based OTP\u0027 entry data command.\n    + Enhanced Password Depot XML import module to support the new format (added support for the new node names, group icons, recycle bin, tags, favorites, auto-type delay conversion, history, enhanced icon mapping, enhanced date/time parsing, ...).\n    + Added border for headings in HTML exports/printouts.\n    + Added support for running KeePass in FIPS mode.\n\n  * Improvements:\n\n    + History entries listed on the \u0027History\u0027 tab page of the entry dialog are now sorted from newest to oldest.\n    + The icons in the list on the \u0027History\u0027 tab page of the entry dialog now indicate the type of the entry.\n    + History entry controls of the entry dialog are now disabled when creating a new entry.\n    + The history entry \u0027Restore\u0027 button is now disabled when any change has been made in the current dialog.\n    + The \u0027Password modified\u0027 time is now updated immediately when deleting a history entry.\n    + Improved URL override suggestion for Microsoft Edge in the URL override suggestions drop-down list of the entry dialog (changed from \u0027microsoft-edge:{URL}\u0027 to \u0027cmd://{EDGE} \u0027{URL}\u0027\u0027).\n    + Improved optional built-in global URL overrides for opening HTTP/HTTPS URLs with Microsoft Edge (changed from \u0027microsoft-edge:{BASE}\u0027 to \u0027cmd://{EDGE} \u0027{BASE}\u0027\u0027).\n    + Reordered web browser URL overrides alphabetically.\n    + Improved dynamic menu item access key assignment.\n    + Improved item separation in the entry details view.\n    + In most places, groups in a group path are now separated by right arrows instead of hyphens.\n    + Improved last modification time comparison for plugin data dictionaries.\n    + Unified generation of common HTML parts.\n    + The \u0027Copy Initial Password\u0027 command in the \u0027Tools\u0027 menu of the entry dialog now requires the \u0027Copy\u0027 application policy flag.\n    + Various UI text improvements.\n    + Various code optimizations.\n    + Minor other improvements.\n\n  * Bugfixes:\n\n    + The history entry \u0027Restore\u0027 button now always works as expected.\n\n- Update to 2.52\n\n  * New Features:\n\n    + Added \u0027Copy Initial Password\u0027 command in the tools menu of the entry dialog; it copies (to the clipboard) the password that was current when the dialog was opened.\n    + When multiple entries are selected (containing at least one attachment), the number of attachments is now displayed in the \u0027Attachments\u0027 submenu of the entry menu.\n    + Added option \u0027Alt. item background color\u0027 (supporting the states \u0027Off\u0027, \u0027On, default color\u0027 and \u0027On, custom color\u0027); this combines the previous two options \u0027Use alternating item background colors\u0027 and \u0027Custom alt. item color\u0027.\n    + Comment placeholders ({C:...}) may now contain balanced braces.\n    + In the auto-type entry selection dialog, values in the \u0027Sequence - Comments\u0027 column are dereferenced now.\n    + The time when the password of an entry was last changed is now displayed in the entry dialog on the \u0027History\u0027 tab page.\n    + Added support for importing 1Password 8.7 1PUX files.\n    + Added support for importing Key Folder 1.22 XML files.\n    + Sticky Password XML import: added support for importing groups and expiry dates.\n    + Steganos Password Manager CSV import: added support for the new encoding of double quotes.\n    + Bitwarden JSON import: time-based one-time password generator settings are converted automatically now.\n    + KeePass now checks the \u0027KeePass.exe.config\u0027 file and shows a warning message when finding a problem.\n    + For development builds: added command for showing GC information.\n    + Plugins can now load the header of a database file more easily.\n    + Plugins can now subscribe to a master key change event.\n    + TrlUtil: added workaround for .NET tab control focus bug.\n\n  * Improvements:\n\n    + Moved the command \u0027Save Attached File(s) To\u0027 into the \u0027Attachments\u0027 submenu of the entry menu and renamed it to \u0027Save File(s) To\u0027.\n    + The command for saving attached files is now available only if at least one of the selected entries has at least one attachment.\n    + The {APPACTIVATE ...} auto-type command now ignores the options \u0027Cancel auto-type when the target window changes\u0027 and \u0027Cancel auto-type when the target window title changes\u0027.\n    + {APPACTIVATE ...} auto-type command: if the specified window does not exist or cannot be focused, auto-type is aborted now.\n    + Unified creation of fields with indices.\n    + Improved database modification state and UI updating after imports/synchronizations.\n    + In the master key creation/prompt dialogs, the [OK] button is now disabled when checking the \u0027Key file/provider\u0027 check box and selecting \u0027(None)\u0027 in the combo box.\n    + Improved drop-down menu width adjustment for certain combo boxes in the options dialog.\n    + Improved hashing performance of protected binaries, UUIDs, ...\n    + Performance improvements related to empty arrays.\n    + Improved Mono framework version detection.\n    + TrlUtil: improved preview dialog update performance.\n    + Various UI text improvements.\n    + Various code optimizations.\n    + Minor other improvements.\n\n  * Bugfixes:\n\n    * Fixed a bug that caused a minimized main window to be restored to a normal window instead of a maximized window in certain situations.\n    * The \u0027Help\u0027 menu item in the entry dialog and the \u0027Help\u0027 button in the entry string field dialog now open the correct help sections.\n\n- Update to 2.51.1\n\n  * New Features:\n\n    + Most dialogs with fixed size now detect whether they fit onto the current screen, and when a dialog does not fit (e.g. due to a very high DPI factor), its size is reduced and scroll bars are displayed.\n    + Added plural entry command names in the main window (e.g. the command for editing the currently selected entry/entries is now called either \u0027Edit Entry\u0027 or \u0027Edit Entries\u0027, depending on the number of selected entries).\n    + Added tooltip for the main part of the status bar of the main window.\n    + Enhanced color buttons (tooltips, accessible names, ...) in the entry dialog, in the database settings dialog and in the options dialog.\n    + Added \u0027Interface (2)\u0027 tab page in the options dialog, renamed the existing \u0027Interface\u0027 tab page to \u0027Interface (1)\u0027, moved some controls from \u0027Interface (1)\u0027 to \u0027Interface (2)\u0027.\n    + Enhanced font selection controls (with a checkbox that allows to return to the default, the button shows the currently selected font, tooltip, improved accessibility, ...) in the options dialog.\n    + Added help links \u0027Dark theme\u0027 and \u0027Main font (size)\u0027 in the options dialog.\n    + The options \u0027Custom alt. item color\u0027 and \u0027Esc keypress in main window\u0027 are now disabled if they are enforced (by an enforced configuration file).\n    + Added support for opening URLs with Waterfox in private mode.\n    + Added dialog for editing (HMAC-based and time-based) one-time password generator settings (can be opened using the \u0027OTP Generator Settings\u0027 commands in the entry dialog or in the \u0027Edit Entry (Quick)\u0027 menu of the main window).\n    + Added entry commands \u0027Copy HMAC-Based OTP\u0027, \u0027Show HMAC-Based OTP\u0027, \u0027Copy Time-Based OTP\u0027 and \u0027Show Time-Based OTP\u0027 (in the \u0027Other Data\u0027 menu).\n    + Added entry commands \u0027Copy Title\u0027 and \u0027Copy Notes\u0027 (in the \u0027Other Data\u0027 menu).\n    + When switching to the \u0027Generate\u0027 tab page of the password generator dialog (no database open), the entropy collection dialog is displayed now, if the option \u0027Show dialog for collecting user input as additional entropy\u0027 is turned on.\n    + Added option \u0027Colorize password characters\u0027 in the HTML export/print dialog; the colors are customizable.\n    + Added options \u0027Custom main font\u0027 and \u0027Custom password font\u0027 in the HTML export/print dialog.\n    + Added horizontal entry separator lines in tabular HTML exports/printouts.\n    + In the plugins dialog, the \u0027Delete old files from cache automatically\u0027 option and the \u0027Clear\u0027 button are now disabled if they are enforced (by an enforced configuration file).\n    + Plugins can now change the expiry date of an entry more easily.\n\n  * Improvements:\n\n    + Improved main window initialization performance.\n    + Improved initial emergence of a minimized or maximized main window (less flickering, improved performance, ...).\n    + Improved names/tooltips of the database toolbar buttons in the main window.\n    + Improved handling of bold/italic list fonts.\n    + Improved entry list update performance in certain situations.\n    + Improved dynamic menu deconstruction performance.\n    + Fields starting with \u0027HmacOtp-\u0027 or \u0027TimeOtp-\u0027 are not shown in the entry string copy menu anymore.\n    + Improved tooltips and accessibility of password repetition text boxes.\n    + When a dark theme is active, the error background color of text boxes is darker now.\n    + Improved accessibility of expiry control groups.\n    + The title of the master key creation/change dialog is now adjusted to the context.\n    + Improved \u0027Compression\u0027 tab page of the database settings dialog (extended \u0027None\u0027 option description, improved accessibility, ...).\n    + If no color has been specified, the \u0027Custom alt. item color\u0027 button in the options dialog now shows the default color.\n    + Improved HTML generation for HTML exports/printouts.\n    + Improved default fonts used when printing or exporting to HTML.\n    + In block HTML exports/printouts, field names are not italic anymore (unless the user has selected an italic main font).\n    + In HTML exports/printouts, all field values except passwords are trimmed now.\n    + HTML exports/printouts: improved encoding of white-space characters in passwords.\n    + Improved horizontal entry separator lines in block HTML exports/printouts.\n    + TrlUtil: improved control classification.\n    + Increased Authenticode certificate key length.\n    + Improved entry list update performance when duplicating entries.\n    + Various CHM/help improvements.\n    + Various UI text improvements.\n    + Various code optimizations.\n    + Minor other improvements.\n\n  * Bugfixes:\n\n    + The option \u0027Use alternating item background colors\u0027 is now compatible with automatic sorting again.\n    + The command line parameter \u0027-preselect:\u0027 now works as expected when the option \u0027Clear master key command line parameters after using them once\u0027 is turned on.\n    + Font selections in the options dialog are now applied only when closing the dialog with [OK].\n    + Fixed an entry list scrolling bug.\n\n- Update to 2.50\n\n  * New Features:\n\n    + On most Linux systems, AES-KDF is now about 4 times as fast as before, if the \u0027libgcrypt\u0027 library is installed.\n    + On most Linux systems, Argon2d and Argon2id are now about 3 times as fast as before (for default parameters), if the \u0027libargon2\u0027 library is installed.\n    + The option \u0027Enter master key on secure desktop\u0027 is now also supported by master key prompt dialogs shown during imports, confirmations (before exporting, printing, changing the master key, ...) and trigger actions.\n    + The option \u0027Enter master key on secure desktop\u0027 is now also supported by master key creation/change dialogs.\n    + The key file/provider combo boxes in the master key dialogs now have a tooltip that shows the current value, if the value is very long.\n    + Added password generation button in the entry string field dialog.\n    + When double-clicking the title cell of an entry in the main entry list while holding down the Shift key, the title is now copied to the clipboard.\n    + Added support for detecting the latest versions of Chromium on Unix-like systems (for \u0027Open with ...\u0027 commands in the \u0027URL(s)\u0027 menu, for the {GOOGLECHROME} placeholder, ...).\n    + In the \u0027URL(s)\u0027 menu, there now are separate commands for Google Chrome and Chromium, if both are installed.\n    + Enhanced support for detecting Vivaldi, Brave, Pale Moon and Epiphany.\n    + Added support for importing Kaspersky Password Manager 9.0.2 TXT files.\n    + Bitwarden import module: added support for importing subfolders, and collection names are now imported as tags.\n    + In the \u0027About KeePass\u0027 dialog, each item in the components list now has a tooltip that shows the file/folder path of the component, if it is installed.\n    + In the \u0027About KeePass\u0027 dialog, a double-click onto a component now shows the component file/folder with the file manager.\n    + In the \u0027About KeePass\u0027 dialog, the components list now has a context menu that provides the following new commands: \u0027Show with File Manager\u0027, \u0027Copy Version/Status\u0027 and \u0027Copy Path\u0027.\n  * Improvements:\n    + If the option \u0027An entry matches if one of its tags is contained in the target window title\u0027 is turned on, auto-type now additionally considers tags inherited from groups.\n    + The built-in password generation patterns \u0027Hex Key - *-Bit\u0027 now use upper-case hexadecimal symbols.\n    + Improved Spr variance check of the password generator (custom string references, ...).\n    + All commands in the password generator menu (shown by the password generator buttons in entry/string dialogs) support the option \u0027Show dialog for collecting user input as additional entropy\u0027 now.\n  * Bugfixes:\n    + Column header context menus are not shown for non-report list views anymore.\n    + When copying a URL to the clipboard fails, the main entry list is updated now.\n    + Toggling the password generator option \u0027Show dialog for collecting user input as additional entropy\u0027 now causes a switch to the \u0027(Custom)\u0027 profile.\n    + In the TAN wizard dialog, group names containing ampersands are displayed correctly now.\n\n- Add recommends to libargon2-1 and libgrypt20 as Keepass can use\n  those for faster operations.\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2023-157",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2023_0157-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2023:0157-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YO3KDTWTM4LYCKXITB6HKBAPXRJFQLJ6/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2023:0157-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YO3KDTWTM4LYCKXITB6HKBAPXRJFQLJ6/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1211397",
        "url": "https://bugzilla.suse.com/1211397"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-32784 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-32784/"
      }
    ],
    "title": "Security update for keepass",
    "tracking": {
      "current_release_date": "2023-06-27T18:21:20Z",
      "generator": {
        "date": "2023-06-27T18:21:20Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2023:0157-1",
      "initial_release_date": "2023-06-27T18:21:20Z",
      "revision_history": [
        {
          "date": "2023-06-27T18:21:20Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "keepass-2.54-bp154.2.3.1.noarch",
                "product": {
                  "name": "keepass-2.54-bp154.2.3.1.noarch",
                  "product_id": "keepass-2.54-bp154.2.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP4",
                "product": {
                  "name": "SUSE Package Hub 15 SP4",
                  "product_id": "SUSE Package Hub 15 SP4"
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.4",
                "product": {
                  "name": "openSUSE Leap 15.4",
                  "product_id": "openSUSE Leap 15.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "keepass-2.54-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
          "product_id": "SUSE Package Hub 15 SP4:keepass-2.54-bp154.2.3.1.noarch"
        },
        "product_reference": "keepass-2.54-bp154.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "keepass-2.54-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:keepass-2.54-bp154.2.3.1.noarch"
        },
        "product_reference": "keepass-2.54-bp154.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-32784",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-32784"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP4:keepass-2.54-bp154.2.3.1.noarch",
          "openSUSE Leap 15.4:keepass-2.54-bp154.2.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-32784",
          "url": "https://www.suse.com/security/cve/CVE-2023-32784"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1211397 for CVE-2023-32784",
          "url": "https://bugzilla.suse.com/1211397"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP4:keepass-2.54-bp154.2.3.1.noarch",
            "openSUSE Leap 15.4:keepass-2.54-bp154.2.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP4:keepass-2.54-bp154.2.3.1.noarch",
            "openSUSE Leap 15.4:keepass-2.54-bp154.2.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2023-06-27T18:21:20Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-32784"
    }
  ]
}

opensuse-su-2023:0163-1

Vulnerability from csaf_opensuse

Published

2023-06-30 07:32

Modified

2023-06-30 07:32

Summary

Security update for keepass

Notes

Title of the patch

Security update for keepass

Description of the patch

This update for keepass fixes the following issues: - Update to 2.54 * Security: + Improved process memory protection of secure edit controls (CVE-2023-32784, boo#1211397). * New Features: + Triggers, global URL overrides, password generator profiles and a few more settings are now stored in the enforced configuration file. + Added dialog 'Enforce Options (All Users)' (menu 'Tools' → 'Advanced Tools' → 'Enforce Options'), which facilitates storing certain options in the enforced configuration file. + In report dialogs, passwords (and other sensitive data) are now hidden using asterisks by default (if hiding is activated in the main window); the hiding can be toggled using the new '***' button in the toolbar. + The 'Print' command in most report dialogs now requires the 'Print' application policy flag, and the master key must be entered if the 'Print - No Key Repeat' application policy flag is deactivated. + The 'Export' command in most report dialogs now requires the 'Export' application policy flag, and the master key must be entered. + Single line edit dialogs now support hiding the value using asterisks. + Commands that require elevation now have a shield icon like on Windows. + TrlUtil: added 'Move Selected Unused Text to Dialog Control' command. * Improvements: * The content mode of the configuration elements '/Configuration/Application/TriggerSystem', '/Configuration/Integration/UrlSchemeOverrides' and '/Configuration/PasswordGenerator/UserProfiles' is now 'Replace' by default. * The built-in override for the 'ssh' URI scheme is now deactivated by default (it can be activated in the 'URL Overrides' dialog). * When opening the password generator dialog without a derived profile, the '(Automatically generated passwords for new entries)' profile is now selected by default, if profiles are enabled (otherwise the default profile is used). * The clipboard workarounds are now disabled by default (they are not needed anymore on most systems). * Improved clipboard clearing. * Improved starting of an elevated process. * Bugfixes: + In report dialogs, the 'Print' and 'Export' commands now always use the actual data (in previous versions, asterisks were printed/exported when the application policy flag 'Unhide Passwords' was turned off).

Patchnames

openSUSE-2023-163

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for keepass",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for keepass fixes the following issues:\n\n- Update to 2.54\n\n  * Security:\n\n    + Improved process memory protection of secure edit controls (CVE-2023-32784, boo#1211397).\n\n  * New Features:\n\n    + Triggers, global URL overrides, password generator profiles and a few more settings are now stored in the enforced configuration file.\n    + Added dialog \u0027Enforce Options (All Users)\u0027 (menu \u0027Tools\u0027 \u2192 \u0027Advanced Tools\u0027 \u2192 \u0027Enforce Options\u0027), which facilitates storing certain options in the enforced configuration file.\n    + In report dialogs, passwords (and other sensitive data) are now hidden using asterisks by default (if hiding is activated in the main window); the hiding can be toggled using the new \u0027***\u0027 button in the toolbar.\n    + The \u0027Print\u0027 command in most report dialogs now requires the \u0027Print\u0027 application policy flag, and the master key must be entered if the \u0027Print - No Key Repeat\u0027 application policy flag is deactivated.\n    + The \u0027Export\u0027 command in most report dialogs now requires the \u0027Export\u0027 application policy flag, and the master key must be entered.\n    + Single line edit dialogs now support hiding the value using asterisks.\n    + Commands that require elevation now have a shield icon like on Windows.\n    + TrlUtil: added \u0027Move Selected Unused Text to Dialog Control\u0027 command.\n\n  * Improvements:\n\n    * The content mode of the configuration elements \u0027/Configuration/Application/TriggerSystem\u0027, \u0027/Configuration/Integration/UrlSchemeOverrides\u0027 and \u0027/Configuration/PasswordGenerator/UserProfiles\u0027 is now \u0027Replace\u0027 by default.\n    * The built-in override for the \u0027ssh\u0027 URI scheme is now deactivated by default (it can be activated in the \u0027URL Overrides\u0027 dialog).\n    * When opening the password generator dialog without a derived profile, the \u0027(Automatically generated passwords for new entries)\u0027 profile is now selected by default, if profiles are enabled (otherwise the default profile is used).\n    * The clipboard workarounds are now disabled by default (they are not needed anymore on most systems).\n    * Improved clipboard clearing.\n    * Improved starting of an elevated process.\n\n  * Bugfixes:\n\n    + In report dialogs, the \u0027Print\u0027 and \u0027Export\u0027 commands now always use the actual data (in previous versions, asterisks were printed/exported when the application policy flag \u0027Unhide Passwords\u0027 was turned off).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2023-163",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2023_0163-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2023:0163-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CFQRNEAN42U36FDY44HBZDRFMS7QLMMZ/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2023:0163-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/CFQRNEAN42U36FDY44HBZDRFMS7QLMMZ/"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1211397",
        "url": "https://bugzilla.suse.com/1211397"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-32784 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-32784/"
      }
    ],
    "title": "Security update for keepass",
    "tracking": {
      "current_release_date": "2023-06-30T07:32:26Z",
      "generator": {
        "date": "2023-06-30T07:32:26Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2023:0163-1",
      "initial_release_date": "2023-06-30T07:32:26Z",
      "revision_history": [
        {
          "date": "2023-06-30T07:32:26Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "keepass-2.54-bp155.2.3.1.noarch",
                "product": {
                  "name": "keepass-2.54-bp155.2.3.1.noarch",
                  "product_id": "keepass-2.54-bp155.2.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Package Hub 15 SP5",
                "product": {
                  "name": "SUSE Package Hub 15 SP5",
                  "product_id": "SUSE Package Hub 15 SP5"
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.5",
                "product": {
                  "name": "openSUSE Leap 15.5",
                  "product_id": "openSUSE Leap 15.5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "keepass-2.54-bp155.2.3.1.noarch as component of SUSE Package Hub 15 SP5",
          "product_id": "SUSE Package Hub 15 SP5:keepass-2.54-bp155.2.3.1.noarch"
        },
        "product_reference": "keepass-2.54-bp155.2.3.1.noarch",
        "relates_to_product_reference": "SUSE Package Hub 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "keepass-2.54-bp155.2.3.1.noarch as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:keepass-2.54-bp155.2.3.1.noarch"
        },
        "product_reference": "keepass-2.54-bp155.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-32784",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-32784"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Package Hub 15 SP5:keepass-2.54-bp155.2.3.1.noarch",
          "openSUSE Leap 15.5:keepass-2.54-bp155.2.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-32784",
          "url": "https://www.suse.com/security/cve/CVE-2023-32784"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1211397 for CVE-2023-32784",
          "url": "https://bugzilla.suse.com/1211397"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Package Hub 15 SP5:keepass-2.54-bp155.2.3.1.noarch",
            "openSUSE Leap 15.5:keepass-2.54-bp155.2.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Package Hub 15 SP5:keepass-2.54-bp155.2.3.1.noarch",
            "openSUSE Leap 15.5:keepass-2.54-bp155.2.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2023-06-30T07:32:26Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-32784"
    }
  ]
}

gsd-2023-32784

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-32784

Aliases

CVE-2023-32784

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-32784",
    "id": "GSD-2023-32784"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-32784"
      ],
      "details": "In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.",
      "id": "GSD-2023-32784",
      "modified": "2023-12-13T01:20:24.165580Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2023-32784",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/vdohney/keepass-password-dumper",
            "refsource": "MISC",
            "url": "https://github.com/vdohney/keepass-password-dumper"
          },
          {
            "name": "https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/",
            "refsource": "MISC",
            "url": "https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/"
          },
          {
            "name": "https://github.com/keepassxreboot/keepassxc/discussions/9433",
            "refsource": "MISC",
            "url": "https://github.com/keepassxreboot/keepassxc/discussions/9433"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:keepass:keepass:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.54",
                "versionStartIncluding": "2.00",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2023-32784"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-319"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking"
              ],
              "url": "https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/"
            },
            {
              "name": "https://github.com/vdohney/keepass-password-dumper",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/vdohney/keepass-password-dumper"
            },
            {
              "name": "https://github.com/keepassxreboot/keepassxc/discussions/9433",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking"
              ],
              "url": "https://github.com/keepassxreboot/keepassxc/discussions/9433"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-05-26T16:25Z",
      "publishedDate": "2023-05-15T06:15Z"
    }
  }
}

fkie_cve-2023-32784

Vulnerability from fkie_nvd

Published

2023-05-15 06:15

Modified

2025-01-23 20:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
cve@mitre.org	https://github.com/keepassxreboot/keepassxc/discussions/9433	Issue Tracking
cve@mitre.org	https://github.com/vdohney/keepass-password-dumper	Exploit, Third Party Advisory
cve@mitre.org	https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://github.com/keepassxreboot/keepassxc/discussions/9433	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://github.com/vdohney/keepass-password-dumper	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/	Issue Tracking

Impacted products

	Vendor	Product	Version
	keepass	keepass	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:keepass:keepass:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "02B04F85-32CC-4B57-A6DE-2FE8BAD7A17D",
              "versionEndExcluding": "2.54",
              "versionStartIncluding": "2.00",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation."
    },
    {
      "lang": "es",
      "value": "En KeePass v2.x anterior a v2.54, es posible recuperar la contrase\u00f1a maestra en texto claro a partir de un volcado de memoria, incluso cuando un espacio de trabajo est\u00e1 bloqueado o ya no se ejecuta. El volcado de memoria puede ser un volcado de proceso de KeePass, un archivo de intercambio (pagefile.sys), un archivo de hibernaci\u00f3n (hiberfil.sys) o un volcado de RAM de todo el sistema. El primer car\u00e1cter no se puede recuperar. En la versi\u00f3n 2.54, hay un uso diferente de la API y/o inserci\u00f3n de una cadena aleatoria para la mitigaci\u00f3n. "
    }
  ],
  "id": "CVE-2023-32784",
  "lastModified": "2025-01-23T20:15:30.320",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-05-15T06:15:10.427",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/keepassxreboot/keepassxc/discussions/9433"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/vdohney/keepass-password-dumper"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/keepassxreboot/keepassxc/discussions/9433"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/vdohney/keepass-password-dumper"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-319"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-319"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

WID-SEC-W-2023-1207

Vulnerability from csaf_certbund

Published

2023-05-14 22:00

Modified

2023-05-14 22:00

Summary

KeePass: Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

KeePass ist ein Open Source Passwortmanager.

Angriff

Ein lokaler Angreifer kann eine Schwachstelle in KeePass ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- UNIX - Linux - MacOS X - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "KeePass ist ein Open Source Passwortmanager.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann eine Schwachstelle in KeePass ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- MacOS X\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-1207 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1207.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-1207 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1207"
      },
      {
        "category": "external",
        "summary": "NIST Database vom 2023-05-15",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32784"
      }
    ],
    "source_lang": "en-US",
    "title": "KeePass: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2023-05-14T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:50:48.753+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-1207",
      "initial_release_date": "2023-05-14T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-05-14T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source KeePass \u003c 2.54",
            "product": {
              "name": "Open Source KeePass \u003c 2.54",
              "product_id": "T027731",
              "product_identification_helper": {
                "cpe": "cpe:/a:keepass:keepass:2.54"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-32784",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in KeePass. Diese ist darauf zur\u00fcckzuf\u00fchren, dass aus einem Speicher-Dump das Masterpasswort bis auf das erste Zeichen extrahiert werden kann. Ein lokaler Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen."
        }
      ],
      "release_date": "2023-05-14T22:00:00.000+00:00",
      "title": "CVE-2023-32784"
    }
  ]
}

wid-sec-w-2023-1207

Vulnerability from csaf_certbund

Published

2023-05-14 22:00

Modified

2023-05-14 22:00

Summary

KeePass: Schwachstelle ermöglicht Offenlegung von Informationen

Notes

Produktbeschreibung

KeePass ist ein Open Source Passwortmanager.

Angriff

Ein lokaler Angreifer kann eine Schwachstelle in KeePass ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- UNIX - Linux - MacOS X - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "KeePass ist ein Open Source Passwortmanager.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann eine Schwachstelle in KeePass ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux\n- MacOS X\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-1207 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1207.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-1207 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1207"
      },
      {
        "category": "external",
        "summary": "NIST Database vom 2023-05-15",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32784"
      }
    ],
    "source_lang": "en-US",
    "title": "KeePass: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2023-05-14T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:50:48.753+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-1207",
      "initial_release_date": "2023-05-14T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-05-14T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source KeePass \u003c 2.54",
            "product": {
              "name": "Open Source KeePass \u003c 2.54",
              "product_id": "T027731",
              "product_identification_helper": {
                "cpe": "cpe:/a:keepass:keepass:2.54"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-32784",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in KeePass. Diese ist darauf zur\u00fcckzuf\u00fchren, dass aus einem Speicher-Dump das Masterpasswort bis auf das erste Zeichen extrahiert werden kann. Ein lokaler Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen."
        }
      ],
      "release_date": "2023-05-14T22:00:00.000+00:00",
      "title": "CVE-2023-32784"
    }
  ]
}

ghsa-f4c7-5p8v-p7jh

Vulnerability from github

Published

2023-05-15 06:30

Modified

2024-04-04 04:04

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-32784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-15T06:15:10Z",
    "severity": "HIGH"
  },
  "details": "In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation.",
  "id": "GHSA-f4c7-5p8v-p7jh",
  "modified": "2024-04-04T04:04:55Z",
  "published": "2023-05-15T06:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32784"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keepassxreboot/keepassxc/discussions/9433"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vdohney/keepass-password-dumper"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-32784 (GCVE-0-2023-32784)

Vulnerability from cvelistv5

Vulnerability from csaf_opensuse

Vulnerability from csaf_opensuse

Vulnerability from csaf_opensuse

Vulnerability from gsd

Vulnerability from fkie_nvd

Vulnerability from csaf_certbund

Vulnerability from csaf_certbund

Vulnerability from github

Tags

Sightings

Nomenclature