Lucene search

[email protected]CVE-2017-8296

HistoryApr 27, 2017 - 3:59 p.m.

CVE-2017-8296

2017-04-2715:59:00

CWE-522

[email protected]

web.nvd.nist.gov

kedpm

cve-2017-8296

history file

cleartext

disclosure

master password

password entries

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.5%

JSON

kedpm 0.5 and 1.0 creates a history file in ~/.kedpm/history that is written in cleartext. All of the commands performed in the password manager are written there. This can lead to the disclosure of the master password if the “password” command is used with an argument. The names of the password entries created and consulted are also accessible in cleartext.

Affected configurations

NVD

Node

ked_password_manager_projectked_password_managerMatch0.5

ked_password_manager_projectked_password_managerMatch1.0

CPENameOperatorVersion
ked_password_manager_project:ked_password_managerked password manager project ked password managereq0.5
ked_password_manager_project:ked_password_managerked password manager project ked password managereq1.0

CPE	Name	Operator	Version
ked_password_manager_project:ked_password_manager	ked password manager project ked password manager	eq	0.5
ked_password_manager_project:ked_password_manager	ked password manager project ked password manager	eq	1.0