CVE-2023-41646 – buttercup

Package

Manager: npm
Name: buttercup
Vulnerable Version: >=2.20.3 <7.4.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00068 pctl0.21421

Details

Buttercup allows attackers to obtain the hash of the master password Buttercup allows attackers to obtain the hash of the master password for the password manager via accessing the file /vaults.json/. This affects the Buttercup app up to version 2.20.3.

Metadata

Created: 2023-09-08T00:31:02Z
Modified: 2023-12-13T23:22:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-7cwq-p8cr-h9qg/GHSA-7cwq-p8cr-h9qg.json
CWE IDs: ["CWE-916"]
Alternative ID: GHSA-7cwq-p8cr-h9qg
Finding: F052
Auto approve: 1