Hi Jennifer.
Thanks for sharing the link to the post regarding #keepass
I have read it and enjoyed it very much. Well done for getting it out there.
Just a couple of things if I may:
A fix has already been issued since 2.53.1 to mitigate the ‘scripting issue’ moving forward. Would be good if you mentioned this in your post to make sure it remains relevant and up to date.
There are other folks such as KeePassXC which do not support scripting and is not vulnerable to this CVE. Again, might be something you want to mention to give your readers more depth of knowledge.
I wrote a post about this myself back on Feb 18, 2023 called: Can We Trust KeePass Password Manager Moving Forward?
KeePass does get updated on a regular basis and it is not really the same as it was back in 2003. Also, they have maintained a legacy version KeePass 1.x which should not suffer this issue either.
It is also vital that people know the developer was active and engaging, and even though they did not fully agree with the CVE, they acted in the public interest and patched it.
There are also proof of concept designs which help inform people how this simple attack to be attempted - some on GitHub and I did folk one and link back from my article.
I have linked to my article below which takes a different spin than yours. It provides a different approach and perspective outcome in comparison. If you want to link them together, just let me know.
It is an interesting topic and I feel the real question is, this is a feature of the software (exporting), but why was there no protections turned on by default to require master password to trigger (there is already a setting for this but not on by default)?
Another related topic is allowing scripts to run in a password manager.
Yet another one relates to the ability to run third-party scripts in a password manager (hence the different folks).
And another one relates to, should people be running away to a different folk when those folks are maintained by other developers, and those folks have their own vulnerabilities or should we stay based on this being a feature, discussions since 2019 about it, developer actively engaging, and patching to address public concerns?
I feel we could talk about this for quite a while.
#password #passwordmanager #keepass #keepassxc #security #cybersecurity #vulnerability #vulnerabilityintelligence #cve #cve202324055
https://profcybernaught.hashnode.dev/can-we-trust-keepass-password-manager-moving-forward
#keepass #password #passwordmanager #keepassxc #security #cybersecurity #vulnerability #vulnerabilityintelligence #cve #cve202324055
VulnCheck’s lead threat researcher, @albinolobster assessed the CVE-2021-43798 #vulnerability affecting Grafana and shares how over a year later, 7,500 (or 8%) of Grafana instances indexed by Shodan remain vulnerable.
Our latest blog has more: https://vulncheck.com/blog/grafana-cve-2021-43798
#vulnerabilityintelligence #exploitintelligence
#vulnerability #vulnerabilityintelligence #exploitintelligence
Last week, we announced $3.2M in seed funding from Sorenson Ventures, In-Q-Tel, Lux Capital, and Aviso Ventures to scale our vulnerability intelligence platform and continue filling the gap in the #threatintelligence market.
#ICYMI: SecurityWeek highlights our efforts to help organizations manage the growing volume of publicly announced #vulnerabilities and take action against malicious hacker attacks: https://www.securityweek.com/vulncheck-raises-3-2m-seed-round-for-threat-intel/
#vulnerabilityintelligence #exploitintelligence
#threatintelligence #icymi #vulnerabilities #vulnerabilityintelligence #exploitintelligence
In our latest blog, @albinolobster explores why the lack of diversity in public exploits can lead to scenarios in which both attackers and defenders are only using or defending against suboptimal exploits: https://vulncheck.com/blog/cve-2022-47966-payload.
#vulnerabilityintelligence #exploitintelligence
#vulnerabilityintelligence #exploitintelligence
We’re thrilled to kick off 2023 with $3.2M in seed funding from Sorenson Ventures, In-Q-Tel, Lux Capital, and Aviso Ventures to scale our #vulnerabilityintelligence platform. See what’s ahead: https://www.businesswire.com/news/home/20230209005247/en/Featuring-World%E2%80%99s-Largest-Collection-of-Vulnerability-and-Exploit-Intelligence-VulnCheck-Raises-3.2-Million-to-Solve-Prioritization-Challenge-for-Enterprise-Government-and-Cybersecurity-Solution-Providers
#vulnerabilityintelligence #exploitintelligence