[arch-security] [ASA-201512-8] keepassx: information disclosure

Levente Polyak anthraxx at archlinux.org
Thu Dec 10 21:28:47 UTC 2015


Arch Linux Security Advisory ASA-201512-8
=========================================

Severity: Medium
Date    : 2015-12-10
CVE-ID  : CVE-2015-8378
Package : keepassx
Type    : information disclosure
Remote  : No
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package keepassx before version 0.4.4-1 is vulnerable to information
disclosure via unintended export of plaintext credentials.

Resolution
==========

Upgrade to 0.4.4-1.

# pacman -Syu "keepassx>=0.4.4-1"

The problem has been fixed upstream in version 0.4.4.

Workaround
==========

None.

Description
===========

It was found that XML export function creates hidden XML file containing
user passwords in plaintext without warning, when the export is
canceled, which may go unnoticed by the user.

In this case the password database was exported as the file “.xml” in
the current working directory (often $HOME or the directory of the
database) and is world readable.

Impact
======

A local attacker can get access to secret plaintext credentials via an
unintentionally exported world readable password database.

References
==========

https://access.redhat.com/security/cve/CVE-2015-8378
https://www.keepassx.org/news/2015/12/551

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151210/fcf7a25c/attachment.asc>


More information about the arch-security mailing list