CVE-2023-41646

Question

CVE-2023-41646

Closed this issue 10 months ago · 1 comments

perry-mitchell commented a year ago

Example: https://github.com/buttercup/buttercup-core/blob/master/source/core/VaultSource.ts#L267

Credentials, by design, currently stores the master password, when encrypted.

This should be refactored so that it is no longer stored anywhere, at rest.

Source repo: https://github.com/tristao-marinho/CVE-2023-41646

Answer 1 · 2023-12-09T20:32:05.000Z

The attached PR prevents Buttercup from writing the master password to any stringified credentials, which is what was written to ~/local/share/Buttercup-nodejs/vaults.json in the original CVE description. The credentials are never plain text, but once updated after this is released it will no longer be included in the payload.