CVE-2023-36266
low-risk
Published 2023-07-12
An issue was discovered in Keeper Password Manager for Desktop version 16.10.2 (fixed in 17.2), and the KeeperFill Browser Extensions version 16.5.4 (fixed in 17.2), allows local attackers to gain sensitive information via plaintext password storage in memory after the user is already logged in, and may persist after logout. NOTE: the vendor disputes this for two reasons: the information is inherently available during a logged-in session when the attacker can read from arbitrary memory locations, and information only remains available after logout because of memory-management limitations of web browsers (not because the Keeper technology itself is retaining the information).
Do I need to act?
-
0.37% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10
Medium
LOCAL
/ LOW complexity
Affected Products (2)
Keeper
Keeperfill
Affected Vendors
References (6)
Third Party Advisory
https://harkenzo.tlstickle.com/2023-06-12-Keeper-Password-Dumping/
Third Party Advisory
https://harkenzo.tlstickle.com/2023-06-12-Keeper-Password-Dumping/
26
/ 100
low-risk
Severity
18/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
7/34 · Low