CVE-2024-33901
Published: 20 May 2024
Summary
CVE-2024-33901 is a medium-severity Cleartext Storage of Sensitive Information in Memory (CWE-316) vulnerability in Keepassxc Keepassxc. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-33901 affects KeePassXC 2.7.7 and stems from memory-management behavior that leaves portions of decrypted .kdbx database contents, including some stored passwords, readable in process memory. The flaw is tracked under CWE-316 and carries a CVSS 3.1 score of 6.5 reflecting network attack vector, low complexity, and low-privileged access resulting in high confidentiality impact.
An attacker who already possesses the privileges of the victim user can obtain a memory dump of the KeePassXC process and extract the exposed password material. Because the issue is inherent to the current design constraints around keeping decrypted data in RAM for usability, the vendor disputes that the behavior constitutes a vulnerability that can be eliminated without unacceptable trade-offs.
Public references, including the KeePassXC issue tracker and the project’s prior memory-security write-up, indicate no patch is planned and reiterate that realistic alternatives still require sensitive data to reside in process memory during active sessions. The associated EPSS score has remained flat at 0.2377 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-31605
Vulnerability details
Issue in KeePassXC 2.7.7 allows an attacker (who has the privileges of the victim) to recover some passwords stored in the .kdbx database via a memory dump. NOTE: the vendor disputes this because memory-management constraints make this unavoidable in the…
more
current design and other realistic designs.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.