A vulnerability in KeePass password manager could allow attackers to retrieve users’ master passwords in plaintext. The developer is working on a solution, although it will not appear until June at the earliest.
Security researcher ‘vdohney’ published a proof-of-concept for the vulnerability on GitHub. The vulnerability, which can be tracked through CVE-2023-3278 , can be exploited with this tool. Attackers who have access to a user’s PC can perform a memory dump to display most of the master password in plaintext, even if the database is locked or the program is closed. The first or first two characters of the password are missing, but can be guessed to recover the entire password.
All existing versions of KeePass 2.x are reportedly affected by the vulnerability. A fix will follow in version 2.54, which is expected in June. Bleeping Computer warns that the master password may still be recoverable after the release of the new version, because the files are stored in memory. To be on the safe side, users may need to reinstall their PC’s operating system and overwrite existing data.
KeePass is a free, open source password manager. Earlier this year there was also of a vulnerability in KeePass, the Dutch Cyber Security Center warned. At first the developer did not want to close the leak, but in the end this happened anyway.