[arch-security] [ASA-201512-8] keepassx: information disclosure
anthraxx at archlinux.org
Thu Dec 10 21:28:47 UTC 2015
Arch Linux Security Advisory ASA-201512-8
Date : 2015-12-10
CVE-ID : CVE-2015-8378
Package : keepassx
Type : information disclosure
Remote : No
Link : https://wiki.archlinux.org/index.php/CVE
The package keepassx before version 0.4.4-1 is vulnerable to information
disclosure via unintended export of plaintext credentials.
Upgrade to 0.4.4-1.
# pacman -Syu "keepassx>=0.4.4-1"
The problem has been fixed upstream in version 0.4.4.
It was found that XML export function creates hidden XML file containing
user passwords in plaintext without warning, when the export is
canceled, which may go unnoticed by the user.
In this case the password database was exported as the file “.xml” in
the current working directory (often $HOME or the directory of the
database) and is world readable.
A local attacker can get access to secret plaintext credentials via an
unintentionally exported world readable password database.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security