Arch Linux Security Advisory ASA-201512-8 ========================================= Severity: Medium Date : 2015-12-10 CVE-ID : CVE-2015-8378 Package : keepassx Type : information disclosure Remote : No Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package keepassx before version 0.4.4-1 is vulnerable to information disclosure via unintended export of plaintext credentials. Resolution ========== Upgrade to 0.4.4-1. # pacman -Syu "keepassx>=0.4.4-1" The problem has been fixed upstream in version 0.4.4. Workaround ========== None. Description =========== It was found that XML export function creates hidden XML file containing user passwords in plaintext without warning, when the export is canceled, which may go unnoticed by the user. In this case the password database was exported as the file “.xml” in the current working directory (often $HOME or the directory of the database) and is world readable. Impact ====== A local attacker can get access to secret plaintext credentials via an unintentionally exported world readable password database. References ========== https://access.redhat.com/security/cve/CVE-2015-8378 https://www.keepassx.org/news/2015/12/551