Vulnerability Description
kedpm 0.5 and 1.0 creates a history file in ~/.kedpm/history that is written in cleartext. All of the commands performed in the password manager are written there. This can lead to the disclosure of the master password if the "password" command is used with an argument. The names of the password entries created and consulted are also accessible in cleartext.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ked Password Manager Project | Ked Password Manager | 0.5 |
Related Weaknesses (CWE)
References
- http://openwall.com/lists/oss-security/2017/04/26/9Mailing ListThird Party Advisory
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860817Issue TrackingPatch
- https://security.gentoo.org/glsa/201708-04
- https://sourceforge.net/p/kedpm/bugs/6/Issue TrackingPatchThird Party Advisory
- http://openwall.com/lists/oss-security/2017/04/26/9Mailing ListThird Party Advisory
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860817Issue TrackingPatch
- https://security.gentoo.org/glsa/201708-04
- https://sourceforge.net/p/kedpm/bugs/6/Issue TrackingPatchThird Party Advisory
FAQ
What is CVE-2017-8296?
CVE-2017-8296 is a vulnerability with a CVSS score of 7.5 (HIGH). kedpm 0.5 and 1.0 creates a history file in ~/.kedpm/history that is written in cleartext. All of the commands performed in the password manager are written there. This can lead to the disclosure of t...
How severe is CVE-2017-8296?
CVE-2017-8296 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-8296?
Check the references section above for vendor advisories and patch information. Affected products include: Ked Password Manager Project Ked Password Manager.