KeePass has released version 2.54, fixing the CVE-2023-3278 vulnerability that allows the extraction of the cleartext master password from the application’s memory.
In May 2023, security researcher ‘vdohney’ disclosed a vulnerability and proof-of-concept exploit that allowed you to partially extract the cleartext KeepPass master password from a memory dump of the application.
Once the password is retrieved, they can open the KeePass password database and access all the saved account credentials.
Reichl also introduced “Dummy strings” with random characters into the memory of the KeePass process to make it harder to retrieve fragments of the password from memory and combine them into a valid master password.
Users who cannot upgrade to KeePass 2.54 are recommended to reset their master password, delete crash dumps, hibernation files, and swap files that might contain fragments of their master password, or perform a fresh OS install.
KeePass exploit helps retrieve cleartext master password, fix coming soon.
