CVE-2024-45394

3 Sep 2024

Título es

CVE-2024-45394

Mar, 03/09/2024 – 21:15

Tipo

CWE-261

Gravedad 2.0 Txt

Pendiente de análisis

Título en

CVE-2024-45394

Descripción en

Authenticator is a browser extensions that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF. Therefore, attackers with a copy of a user's data are able to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login. Users should destroy encrypted backups made with versions prior to 8.0.0.

03/09/2024

Vector CVSS:3.1

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)

8.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)

HIGH

Referencias

https://github.com/Authenticator-Extension/Authenticator/commit/17aa2068553db3c3aac081c9ffe393536f33b28b

https://github.com/Authenticator-Extension/Authenticator/security/advisories/GHSA-gv8m-vgp8-q2xr

Enviar en el boletín

Off

CVE-2024-45394

CVE-2024-45394

Jose Alexis Correa Valencia