CVE-2023-41646 #336

perry-mitchell · 2023-09-15T17:40:34Z

Example: https://github.com/buttercup/buttercup-core/blob/master/source/core/VaultSource.ts#L267

Credentials, by design, currently stores the master password, when encrypted.

This should be refactored so that it is no longer stored anywhere, at rest.

Source repo: https://github.com/tristao-marinho/CVE-2023-41646

The text was updated successfully, but these errors were encountered:

Fixes #336

perry-mitchell · 2023-12-09T20:32:05Z

The attached PR prevents Buttercup from writing the master password to any stringified credentials, which is what was written to ~/local/share/Buttercup-nodejs/vaults.json in the original CVE description. The credentials are never plain text, but once updated after this is released it will no longer be included in the payload.

perry-mitchell added Type: Bug Status: Pending Effort: High labels Sep 15, 2023

perry-mitchell self-assigned this Sep 15, 2023

perry-mitchell added Status: In Progress and removed Status: Pending labels Dec 9, 2023

perry-mitchell added a commit that referenced this issue Dec 9, 2023

Remove masterPassword from Credentials rest

77fbcdf

Fixes #336

perry-mitchell mentioned this issue Dec 9, 2023

Security update, CVE-2023-41646 #338

Merged

perry-mitchell closed this as completed in #338 Dec 9, 2023

perry-mitchell added Status: Completed and removed Status: In Progress labels Dec 9, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2023-41646 #336

CVE-2023-41646 #336

perry-mitchell commented Sep 15, 2023

perry-mitchell commented Dec 9, 2023

CVE-2023-41646 #336

CVE-2023-41646 #336

Comments

perry-mitchell commented Sep 15, 2023

perry-mitchell commented Dec 9, 2023