The vulnerability described requires write access to the KeePass configuration file.
The official help file has a section on Triggers in KeePass. Triggers may be used for a variety of tasks, including exporting the active database to a file or URL. They are run automatically when all trigger conditions are fulfilled. Triggers automate workflows in KeePass 2.x. The password manager prompts for the master password whenever data is exported after installation of the update. Update: KeePass 2.53.1 introduced a change that addresses the issue.
According to the warning, attackers with write access to the KeePass configuration file may modify it with triggers to export the entire password database in cleartext without user confirmation. The Federal Cyber Emergency Team of Belgium, cert.be, released a warning regarding KeePass.
ADVERTISEMENT KeePass XC: fork of KeePass without the issue
0 kommentar(er)
