CVE-2023-36266

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-36266
An issue was discovered in Keeper Password Manager for Desktop version 16.10.2, and the KeeperFill Browser Extensions version 16.5.4, allows local attackers to gain sensitive information via plaintext password storage in memory after the user is already logged in, and may persist after logout. NOTE: the vendor disputes this for two reasons: the information is inherently available during a logged-in session when the attacker can read from arbitrary memory locations, and information only remains available after logout because of memory-management limitations of web browsers (not because the Keeper technology itself is retaining the information).

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
http://packetstormsecurity.com/files/173809/Keeper-Security-Desktop-16.10.2-Browser-Extension-16.5.4-Password-Dumper.html
https://harkenzo.tlstickle.com/2023-06-12-Keeper-Password-Dumping/ Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:keepersecurity:keeper:16.10.2:*:*:*:*:*:*:*
cpe:2.3:a:keepersecurity:keeperfill:16.5.4:*:*:*:*:*:*:*
History

07 Nov 2023, 04:16

Type Values Removed Values Added
Summary ** DISPUTED ** An issue was discovered in Keeper Password Manager for Desktop version 16.10.2, and the KeeperFill Browser Extensions version 16.5.4, allows local attackers to gain sensitive information via plaintext password storage in memory after the user is already logged in, and may persist after logout. NOTE: the vendor disputes this for two reasons: the information is inherently available during a logged-in session when the attacker can read from arbitrary memory locations, and information only remains available after logout because of memory-management limitations of web browsers (not because the Keeper technology itself is retaining the information). An issue was discovered in Keeper Password Manager for Desktop version 16.10.2, and the KeeperFill Browser Extensions version 16.5.4, allows local attackers to gain sensitive information via plaintext password storage in memory after the user is already logged in, and may persist after logout. NOTE: the vendor disputes this for two reasons: the information is inherently available during a logged-in session when the attacker can read from arbitrary memory locations, and information only remains available after logout because of memory-management limitations of web browsers (not because the Keeper technology itself is retaining the information).

31 Jul 2023, 19:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/173809/Keeper-Security-Desktop-16.10.2-Browser-Extension-16.5.4-Password-Dumper.html -

24 Jul 2023, 16:15

Type Values Removed Values Added
Summary An issue was discovered in Keeper Password Manager for Desktop version 16.10.2, and the KeeperFill Browser Extensions version 16.5.4, allows local attackers to gain sensitive information via plaintext password storage in memory after the user is already logged in, and may persist after logout. ** DISPUTED ** An issue was discovered in Keeper Password Manager for Desktop version 16.10.2, and the KeeperFill Browser Extensions version 16.5.4, allows local attackers to gain sensitive information via plaintext password storage in memory after the user is already logged in, and may persist after logout. NOTE: the vendor disputes this for two reasons: the information is inherently available during a logged-in session when the attacker can read from arbitrary memory locations, and information only remains available after logout because of memory-management limitations of web browsers (not because the Keeper technology itself is retaining the information).

20 Jul 2023, 19:59

Type Values Removed Values Added
CWE CWE-522
CPE cpe:2.3:a:keepersecurity:keeperfill:16.5.4:*:*:*:*:*:*:*
cpe:2.3:a:keepersecurity:keeper:16.10.2:*:*:*:*:*:*:*
References (MISC) https://harkenzo.tlstickle.com/2023-06-12-Keeper-Password-Dumping/ - (MISC) https://harkenzo.tlstickle.com/2023-06-12-Keeper-Password-Dumping/ - Third Party Advisory
First Time Keepersecurity keeper
Keepersecurity keeperfill
Keepersecurity
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5

12 Jul 2023, 17:58

Type Values Removed Values Added
New CVE
Information

Published : 2023-07-12 16:15

Updated : 2024-04-11 01:20

NVD link : CVE-2023-36266

Mitre link : CVE-2023-36266

CVE.ORG link : CVE-2023-36266

JSON object : View

Products Affected

keepersecurity

  • keeper
  • keeperfill
CWE
CWE-522

Insufficiently Protected Credentials