Discover Government News

Arch Linux Security Advisory ASA-201512-8
========================================
Severity: Medium
Date    : 2015-12-10
CVE-ID  : CVE-2015-8378
Package : keepassx
Type    : information disclosure
Remote  : No
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package keepassx before version 0.4.4-1 is vulnerable to information
disclosure via unintended export of plaintext credentials.

Resolution
=========
Upgrade to 0.4.4-1.

# pacman -Syu "keepassx>=0.4.4-1"

The problem has been fixed upstream in version 0.4.4.

Workaround
=========
None.

Description
==========
It was found that XML export function creates hidden XML file containing
user passwords in plaintext without warning, when the export is
canceled, which may go unnoticed by the user.

In this case the password database was exported as the file “.xml” in
the current working directory (often $HOME or the directory of the
database) and is world readable.

Impact
=====
A local attacker can get access to secret plaintext credentials via an
unintentionally exported world readable password database.

References
=========
https://access.redhat.com/security/cve/CVE-2015-8378
https://www.keepassx.org/news/2015/12/551/

ArchLinux: 201512-8: keepassx: information disclosure

December 10, 2015

Summary

It was found that XML export function creates hidden XML file containing user passwords in plaintext without warning, when the export is canceled, which may go unnoticed by the user. In this case the password database was exported as the file “.xml” in the current working directory (often $HOME or the directory of the database) and is world readable.

Resolution

Upgrade to 0.4.4-1. # pacman -Syu "keepassx>=0.4.4-1"
The problem has been fixed upstream in version 0.4.4.

References

https://access.redhat.com/security/cve/CVE-2015-8378 https://www.keepassx.org/news/2015/12/551/

Severity
Package : keepassx
Type : information disclosure
Remote : No
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News