CVE-2024-45394

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45394
Authenticator is a browser extension that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF. Therefore, attackers with a copy of a user's data are able to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login. Users should destroy encrypted backups made with versions prior to 8.0.0.

7.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/Authenticator-Extension/Authenticator/security/advisories/GHSA-gv8m-vgp8-q2xr Vendor Advisory
https://github.com/Authenticator-Extension/Authenticator/commit/17aa2068553db3c3aac081c9ffe393536f33b28b Patch
Configurations

Configuration 1 (hide)

cpe:2.3:a:authenticator:authenticator:*:*:*:*:*:*:*:*
History

09 Oct 2024, 15:15

Type Values Removed Values Added
Summary Authenticator is a browser extensions that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF. Therefore, attackers with a copy of a user's data are able to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login. Users should destroy encrypted backups made with versions prior to 8.0.0. Authenticator is a browser extension that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVP_BytesToKey KDF. Therefore, attackers with a copy of a user's data are able to brute-force the user's encryption key. Users on version 8.0.0 and above are automatically migrated away from the weak encoding on first login. Users should destroy encrypted backups made with versions prior to 8.0.0.

17 Sep 2024, 13:26

Type Values Removed Values Added
CWE CWE-327
CWE-326
First Time Authenticator authenticator
Authenticator
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8
References () https://github.com/Authenticator-Extension/Authenticator/security/advisories/GHSA-gv8m-vgp8-q2xr - () https://github.com/Authenticator-Extension/Authenticator/security/advisories/GHSA-gv8m-vgp8-q2xr - Vendor Advisory
References () https://github.com/Authenticator-Extension/Authenticator/commit/17aa2068553db3c3aac081c9ffe393536f33b28b - () https://github.com/Authenticator-Extension/Authenticator/commit/17aa2068553db3c3aac081c9ffe393536f33b28b - Patch
CPE cpe:2.3:a:authenticator:authenticator:*:*:*:*:*:*:*:*

03 Sep 2024, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-03 21:15

Updated : 2024-10-09 15:15

NVD link : CVE-2024-45394

Mitre link : CVE-2024-45394

JSON object : View

Products Affected

authenticator

  • authenticator
CWE
CWE-326

Inadequate Encryption Strength

CWE-327

Use of a Broken or Risky Cryptographic Algorithm