CVE-2023-41646: Use of Password Hash With Insufficient Computational Effort

September 8, 2023 (updated December 13, 2023)

Buttercup v2.20.3 allows attackers to obtain the hash of the master password for the password manager via accessing the file /vaults.json/

References

buttercup.pw/
github.com/advisories/GHSA-7cwq-p8cr-h9qg
github.com/buttercup/buttercup-core/commit/77fbcdfe4caf57486a3c83c07fc6d36bb0e1d3e1
github.com/buttercup/buttercup-core/issues/336
github.com/tristao-marinho/CVE-2023-41646/
nvd.nist.gov/vuln/detail/CVE-2023-41646

Code Behaviors & Features

Detect and mitigate CVE-2023-41646 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →