CVE-2024-33669

Опубликовано: 26 апр. 2024

Источник: nvd

CVSS3: 6.1

CVSS3: 6.8

EPSS Низкий

Описание

An issue was discovered in Passbolt Browser Extension before 4.6.2. It can send multiple requests to HaveIBeenPwned while a password is being typed, which results in an information leak. This allows an attacker capable of observing Passbolt's HTTPS queries to the Pwned Password API to more easily brute force passwords that are manually typed by the user.

Ссылки

https://blog.quarkslab.com/passbolt-a-bold-use-of-haveibeenpwned.html
Exploit
Third Party Advisory
https://haveibeenpwned.com
Product
https://help.passbolt.com/incidents/pwned-password-service-information-leak
Issue Tracking
Vendor Advisory
https://www.passbolt.com
Product
https://www.passbolt.com/security/more
Product
https://blog.quarkslab.com/passbolt-a-bold-use-of-haveibeenpwned.html
Exploit
Third Party Advisory
https://haveibeenpwned.com
Product
https://help.passbolt.com/incidents/pwned-password-service-information-leak
Issue Tracking
Vendor Advisory
https://www.passbolt.com
Product
https://www.passbolt.com/security/more
Product

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:passbolt:passbolt_browser_extension:*:*:*:*:*:*:*:*

Версия до 4.6.2 (исключая)

EPSS

Процентиль: 37%

0.00159

Низкий

6.1 Medium

CVSS3

6.8 Medium

CVSS3

Дефекты

CWE-200

Связанные уязвимости

GHSA-xfq4-78j7-v594

CVSS3: 6.1

github

почти 2 года назад

Passbolt Browser Extension leaks password information

EPSS

Процентиль: 37%

0.00159

Низкий

6.1 Medium

CVSS3

6.8 Medium

CVSS3

Дефекты

CWE-200